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Abstract 

This paper studies the complexity classes QZK and HVQZK, the classes of problems having a quantum com- 
putational zero-knowledge proof system and an honest-verifier quantum computational zero-knowledge proof 
system, respectively. The results proved in this paper include; 

• HVQZK = QZK. 

• Any problem in QZK has a public-coin quantum computational zero-knowledge proof system. 

• Any problem in QZK has a quantum computational zero-knowledge proof system of perfect completeness. 

• Any problem in QZK has a three-message public-coin quantum computational zero-knowledge proof 
system of perfect completeness with polynomially small error in soundness (hence with arbitrarily small 
constant error in soundness). 

All the results proved in this paper are unconditional, i.e., they do not rely any computational assumptions such 
as the existence of quantum one-way functions or permutations. For the classes QPZK, HVQPZK, and QSZK 
of problems having a quantum perfect zero-knowledge proof system, an honest-verifier quantum perfect zero- 
knowledge proof system, and a quantum statistical zero-knowledge proof system, respectively, the following 
new properties are proved: 

• HVQPZK = QPZK. 

• Any problem in QPZK has a public-coin quantum perfect zero-knowledge proof system. 

• Any problem in QSZK has a quantum statistical zero-knowledge proof system of perfect completeness. 

• Any problem in QSZK has a three-message public-coin quantum statistical zero-knowledge proof system 
of perfect completeness with polynomially small error in soundness (hence with arbitrarily small constant 
error in soundness). 

It is stressed that the proofs for all the statements are direct and do not use complete promise problems or those 
equivalents. This gives a unified framework that works well for all of quantum perfect, statistical, and compu- 
tational zero-knowledge proofs. In particular, this enables us to prove properties even on the computational and 
perfect zero-knowledge proofs for which no complete promise problems nor those equivalents are known. 



1 Introduction 



1.1 Background 

Zero-knowledge proof systems were introduced by Goldwasser, Micali, and Rackoff [15], and have played a central 
role in modern cryptography since then. Intuitively, an interactive proof system is zero-knowledge if any verifier 
who communicates with the honest prover learns nothing except for the validity of the statement being proved in 
that system. By "learns nothing" we mean that there exists a polynomial-time simulator whose output is indistin- 
guishable from the output of the verifier after communicating with the honest prover. Depending on the strength of 
this indistinguishability, several variants of zero-knowledge proofs have been investigated: perfect zero-knowledge 
in which the output of the simulator is identical to that of the verifier, statistical zero-knowledge in which the 
output of the simulator is statistically close to that of the verifier, and computational zero-knowledge in which the 
output of the simulator is indistinguishable from that of the verifier in polynomial time. The most striking result 
on zero-knowledge proofs would be that every problem in NP has a computational zero-knowledge proof system 
under certain intractability assumptions ITTIl like the existence of one-way functions ll24l [TTl . It is also known 
that some problems have perfect or statistical zero-knowledge proof systems. Among others, the Graph ISO- 
MORPHISM problem has a perfect zero-knowledge proof system 111], and some lattice problems have statistical 
zero-knowledge proof systems [10]. 

Another direction of studies on zero-knowledge proofs has been to prove general properties of zero-knowledge 
proofs. Sahai and Vadhan (2S'] were the first that took an approach of characterizing zero-knowledge proofs by 
complete promise problems. They showed that the STATISTICAL DIFFERENCE problem is complete for the class 
HVSZK of problems having an honest-verifier statistical zero-knowledge proof system. Here, the honest-verifier 
zero-knowledge is a weaker notion of zero-knowledge in which now zero-knowledge property holds only against 
the honest verifier who follows the specified protocol. Using this complete promise problem, they proved a num- 
ber of general properties of HVSZK and simplified the proofs of several previously known results including that 
HVSZK is in AM EO, that HVSZK is closed under complement [26], and that any problem in HVSZK has 
a public-coin honest- verifier statistical zero-knowledge proof system [26]. Goldreich and Vadhan |[T4ll presented 
another complete promise problem for HVSZK, called the ENTROPY DIFFERENCE problem, and obtained further 
properties of HVSZK. Since Goldreich, Sahai, and Vadhan [12] proved that HVSZK = SZK, where SZK denotes 
the class of problems having a statistical zero-knowledge proof system, all the properties for HVSZK are inherited 
to SZK (except for those related to round complexity). Along this line, Goldreich, Sahai, and Vadhan |[T3l gave two 
complete promise problems for the class NISZK of problems having a non-interactive statistical zero-knowledge 
proof system, and derived several properties of NISZK. More recently, Vadhan 131] gave two characterizations, 
the Indistinguishability characterization and the Conditional Pseudo-Entropy characterization, for the 
class ZK of problems having a computational zero-knowledge proof system. These are not complete promise 
problems, but more or less analogous to complete promise problems and play essentially same roles as complete 
promise problems in his proof. Using these characterizations, Vadhan proved a number of general properties for ZK 
unconditionally (i.e., not assuming any intractability assumptions), such as that honest- verifier computational zero- 
knowledge equals general computational zero-knowledge, that public-coin computational zero-knowledge equals 
general computational zero-knowledge, and that computational zero-knowledge of perfect completeness equals 
general two-sided bounded error computational zero-knowledge. 

Quantum zero-knowledge proofs were first studied by Watrous ll32ll in a restricted situation of honest-verifier 
quantum statistical zero-knowledge proofs. He gave an analogous characterization to the classical case by Sa- 
hai and Vadhan [28] by showing that the Quantum State Distinguishability problem is complete for the 
class HVQSZK of problems having an honest-verifier quantum statistical zero-knowledge proof system. Using 
this, he proved a number of general properties for HVQSZK, such as that HVQSZK is closed under complement, 
that any problem in HVQSZK has a public-coin honest-verifier quantum statistical zero-knowledge proof system, 
and that HVQSZK is in PSPACE. Very recently, Ben-Aroya and Ta-Shma 131 presented another complete promise 
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problem for HVQSZK, called the Quantum Entropy Difference problem, which is a quantum analogue of 
the result by Goldreich and Vadhan f\A\. Kobayashi flT] studied non-interactive quantum perfect and statistical 
zero-knowledge proofs again using a complete promise problem, which can be viewed as a quantum version of 
the classical result by Goldreich, Sahai, and Vadhan [13 |. It has been a wide open problem if there are nontrivial 
problems that has a quantum zero-knowledge proof system secure even against any dishonest quantum verifiers, 
because of the difficulties arising from the "rewinding" technique fT6l, which is commonly-used in classical zero- 
knowledge proofs. Damgard, Fehr, and Salvail [5] studied zero-knowledge proofs against dishonest quantum veri- 
fier, but they assumed the restricted setting of the common-reference-string model to avoid this rewinding problem. 
Very recently, Watrous ll34l settled this affirmatively. He developed a quantum "rewinding" technique by using a 
method that was originally developed in Ref. f23 1 for the purpose of amplifying the success probability of QMA, 
a quantum version of NP, without increasing quantum witness sizes. With this quantum rewinding technique, he 
proved that the classical protocol for the Graph Isomorphism problem in Ref. [1 1 J has a perfect zero-knowledge 
property even against any dishonest quantum verifiers, and under some reasonable intractability assumption, the 
classical protocol for NP in Ref. [iT| has a computational zero-knowledge property even against any dishonest 
quantum verifiers. He also proved that HVQSZK = QSZK, where QSZK denotes the class of problems having 
a quantum statistical zero-knowledge proof system. This implies that all the properties for HVQSZK proved in 
Ref. |[32l are inherited to QSZK (except for those related to round complexity), in particular, that any problem in 
QSZK has a public-coin quantum statistical zero-knowledge proof system. 

1.2 Our Contribution 

This paper proves a number of general properties on quantum zero-knowledge proofs, not restricted to quantum 
statistical zero-knowledge proofs. Specifically, for quantum computational zero-knowledge proofs, letting QZK 
and HVQZK denote the classes of problems having a quantum computational zero-knowledge proof system and 
an honest-verifier quantum computational zero-knowledge proof system, respectively, the following are proved 
among others: 

Theorem (Theorem Eg. HVQZK = QZK. 

Theorem (Theorem [30l ). Any problem in QZK has a public-coin quantum computational zero-knowledge proof 
system. 

Theorem (Theorem [32] ). Any problem in QZK has a quantum computational zero-knowledge proof system of 
perfect completeness. 

Theorem (Theorem [34l ). Any problem in QZK has a three-message public-coin quantum computational zero- 
knowledge proof system of perfect completeness with soundness error probability at most | for any polynomially 
bounded function p: N (hence with arbitrarily small constant error in soundness). 

All the properties proved in this paper on quantum computational zero-knowledge proofs hold unconditionally, 
meaning that they hold without any computational assumptions such as the existence of quantum one-way functions 
or permutations. Some of these properties may be regarded as quantum versions of the results by Vadhan [31J. It is 
stressed, however, that our approach to prove these properties is completely different from those the existing studies 
took to prove general properties of classical or quantum zero-knowledge proofs. No complete promise problems 
nor those equivalents are used in our proofs. Instead, we directly prove these properties, which gives a unified 
framework that works well for all of quantum perfect, statistical, and computational zero-knowledge proofs. 

The idea is remarkably simple. We start from any protocol of honest-verifier quantum zero-knowledge, and ap- 
ply several modifications so that we finally obtain another protocol of honest- verifier quantum zero-knowledge that 
possesses a number of desirable properties. For instance, to prove that HVQZK = QZK, we show that any protocol 
of honest-verifier quantum computational zero-knowledge can be modified to another protocol of honest-verifier 
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quantum computational zero-knowledge (with some smaller gap between completeness and soundness accepting 
probabilities) such that (i) the protocol consists of three messages and (ii) the protocol is public-coin in which the 
message from the honest verifier consists of a single bit that is an outcome of a classical fair coin-flipping. Note 
that such modifications are possible in the case of usual quantum interactive proofs |[20ll23l . and we show that this 
is also the case for honest-verifier quantum computational zero-knowledge proofs. Now we apply the quantum 
rewinding technique due to Watrous f34| to show that the protocol is zero-knowledge even against any dishonest 
quantum verifiers. The final tip is the sequential repetition, which reduces completeness and soundness errors ar- 
bitrarily small. This simultaneously shows the equivalence of public-coin quantum computational zero-knowledge 
and general quantum computational zero-knowledge. To show that any quantum computational zero-knowledge 
proofs can be made perfect complete, now we have only to show that any honest-verifier quantum computational 
zero-knowledge proofs can be made perfect complete. Again a similar property is known to hold for usual quan- 
tum interactive proofs ll20l . and we carefully modify the protocol so that it holds even for the honest- verifier 
quantum computational zero-knowledge case. Using this modification as a preprocessing, the previous argument 
shows the equivalence of quantum computational zero-knowledge of perfect completeness and general quantum 
computational zero-knowledge. Combining all the desirable properties of honest-verifier quantum computational 
zero-knowledge proofs shown in this paper with a careful application of the quantum rewinding technique, we can 
show that any problem in QZK has a three-message public-coin quantum computational zero-knowledge proof 
system of perfect completeness with soundness error at most ^ for any polynomially bounded function p. 

In fact, our approach above is very general and basically works well even for quantum perfect and statistical 
zero-knowledge proofs. In the quantum statistical zero-knowledge case, all the properties shown for the quantum 
computational zero-knowledge case also hold. This gives alternative proofs of some of the properties obtained in 
Refs. Il32ll34l . and also shows the following new properties of quantum statistical zero-knowledge proofs: 

Theorem (Theorem 137 1) . Any problem in QSZK has a quantum statistical zero-knowledge proof system of perfect 
completeness. 

Theorem (Theorem |38] ). Any problem in QSZK has a three-message public-coin quantum statistical zero- 
knowledge proof system of perfect completeness with soundness error probability at most | for any polynomially 
bounded function p: Z"^ N (hence with arbitrarily small constant error in soundness). 

In the quantum perfect zero-knowledge case, however, not all the properties above can be shown to hold, 
because very subtle points easily lose the perfect zero-knowledge property. In particular, our method of making 
protocols perfect complete that works well for quantum computational and statistical zero-knowledge cases no 
longer works well for quantum perfect zero-knowledge case. Also, we need a very careful modification of the 
protocol when parallelizing to three messages. Still, we can show the following properties: 

Theorem (Theorem HD. HVQPZK = QPZK 

Theorem (Theorem 1231). Any problem in QPZK has a public-coin quantum perfect zero-knowledge proof system. 

Note that no such general properties are known for the classical perfect zero-knowledge case. As a bonus property, 
it is also proved that the quantum perfect zero-knowledge with a worst-case polynomial-time simulator that is not 
allowed to output "FAIL" is equivalent to the one in which a simulator is allowed to output "FAIL" with small 
probability. Again, such equivalence is not known in the classical case. 

1.3 Organization of This Paper 

This paper is organized as follows. Section |2] summarizes the notions and notations that are used in this paper. 
Sections m m and [5] treat our results for quantum perfect, computational, and statistical zero-knowledge proofs, 
respectively. In order to present a unified framework that works well for all of quantum perfect, computational, 
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and statistical zero-knowledge proofs, we first show the results for the perfect zero-knowledge case. This may 
involve more careful modifications of the protocols that are necessary only for the perfect zero-knowledge case, 
but once we have presented how to modify the protocols, we can avoid complications arising from imperfect zero- 
knowledge conditions when proving zero-knowledge property, which will be helpful to illustrate most of our proof 
structures in a simpler setting. Section |6] proves the equivalence of two different definitions of quantum perfect 
zero-knowledge. Finally, Section|7] concludes the paper with some open problems. 

2 Preliminaries 

We assume the reader is familiar with classical zero-knowledge proof systems and quantum interactive proof sys- 
tems. Detailed discussions of classical zero-knowledge proof systems can be found in Refs. HJIH, for instance, 
while quantum interactive proof systems are discussed in Refs. ^331 |20l |23l and are reviewed in Appendix El We 
also assume familiarity with the quantum formalism, including the quantum circuit model and definitions of mixed 
quantum states, admissible transformations (completely-positive trace-preserving mappings), trace norm, diamond 
norm, and fidelity (all of which are discussed in detail in Refs. 1251 [191 . for instance). 

Some of the notions and notations that are used in this paper are summarized in this section. 

Throughout this paper, let N and Z+ denote the sets of positive and nonnegative integers, respectively. For 
every d G N, let denote the identity operator of dimension d. Also, for any Hilbert space H, let I-j-i denote the 
identity operator over H. In this paper, all Hilbert spaces are of dimension power of two. 

2.1 Quantum Formalism 

For any Hilbert spaces H and JC, let Y){7{), \J{Tl), and T{7{,]C) denote the sets of density operators over TL, 
unitary operators over Tl, and admissible transformations from Tl to /C, respectively. For any Hilbert space TL, let 
|0-^) denote the quantum state in H of which all the qubits are in state |0). 

Let H and /C be the Hilbert spaces and let $ G T(7^ , /C) be an admissible transformation. Let M, X, and y be 
Hilbert spaces such that Ti ® X = K, ®y = M. A unitary transformation G U(AA) is a unitary realization of 
$ if tryC/^ (p ® \{)x) (Oa' I) Ul = for any p £ B{n). 

The following approximate version of unitary equivalence is used in this paper. 

Lemma 1 (1321). For Hilbert spaces TC and IC, let \(f)) , £ TC (Si fC satisfy that F{tric\(l)){(l)\,tric\tp){tp\) >l-e 
for some e G [0, 1]. Then there exists a unitary transformation U G U(/C) such that W^h ^ — < \/2e. 

2.2 Quantum Circuits and Polynomial- Time Preparable Ensembles of Quantum States 

It is assumed that any quantum circuit Q in this paper is unitary and is composed of gates in some reasonable, 
universal, finite set of unitary quantum gates. For convenience, we may identify a circuit Q with the unitary 
operator it induces. 

Since non-unitary and unitary quantum circuits are equivalent in computational power [1], it is sufficient to 
treat only unitary quantum circuits, which justifies the above assumption. For avoiding unnecessary complication, 
however, the descriptions of procedures often include non-unitary operations in the subsequent sections. Even in 
such cases, it is always possible to construct unitary quantum circuits that essentially achieve the same procedures 
described. A quantum circuit Q is Qm-in Qout-out if it exactly implements a unitary realization C/$ of some gin-in 
gout -out admissible transformation <1>. For convenience, we may identify a circuit Q with <I> in such a case. As 
a special case of this, a quantum circuit Q is a generating circuit of a quantum state p of q qubits if it exactly 
implements a unitary realization of a zero-in g-out admissible transformation that always outputs p. 
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Following preceding studies on quantum interactive and zero-knowledge proofs, this paper uses the following 
notion of polynomial-time uniformly generated families of quantum circuits. 

A family {Qx} of quantum circuits is polynomial-time uniformly generated if there exists a deterministic pro- 
cedure that, on every input x, outputs a description of and runs in time polynomial in |x|. It is assumed that the 
number of gates in any circuit is not more than the length of the description of that circuit. Hence Qx must have 
size polynomial in 

When proving statements concerning quantum perfect zero-knowledge proofs or proofs having perfect com- 
pleteness, we assume that our universal gate set satisfies some conditions, since these "perfect" properties may not 
hold with an arbitrary universal gate set. In fact, this is also the case for some previous studies on quantum interac- 
tive or zero-knowledge proofs, including the papers by Kitaev and Watrous f20l and by Marriott and Watrous l f23]| . 
when deriving statements with perfect completeness property. The correctness of our results concerning quantum 
perfect zero-knowledge proofs or proofs having perfect completeness may be discussed under a similar assumption 
to those studies on the choice of the universal gate set. Fortunately, the author learned from John Watrous ll35l that 
the choice of the gate set would not be so critical and all the "perfect" properties claimed in Refs. |[20l l2?l and in this 
paper hold with any gate set such that the Hadamard transformation and any classical reversible transformations 
are exactly implementable. Note that this condition is satisfied by most of the standard gate sets including the Shor 
basis |[30ll consisting of the Hadamard gate, the controlled-i-phase-shift gate, and the Toffoli gate. These subtle 
issues regarding choices of the universal gate set will be explained in detail in Appendix iBl It is stressed, however, 
that all of our statements not concerning quantum perfect zero-knowledge proofs nor proofs having perfect com- 
pleteness do hold for an arbitrary choice of the universal gate set (the completeness and soundness conditions may 
become worse by negligible amounts in some of the claims, which does not matter for the final main statements). 

Finally, this paper uses the following notion of polynomial-time preparable ensembles of quantum states, which 
was introduced in Ref. fy2\. 

An ensemble {px} of quantum states is polynomial-time preparable if there exists a polynomial-time uniformly 
generated family {Qx} of quantum circuits such that each Qx is a generating circuit of px- In what follows, we 
may use the notation {p{x)} instead of {px} for ensembles of quantum states simply for descriptional convenience. 

2.3 Quantum Computational Indistinguishability 

We use the notions of quantum computational indistinguishability introduced by Watrous 1 34 1 : polynomially quan- 
tum indistinguishable ensembles of quantum states and polynomially quantum indistinguishable ensembles of ad- 
missible transformations. 

First, the quantum computational indistinguishability between two ensembles of quantum states is defined as 
follows. 

Definition 2. Let S C {0, 1}* be an infinite set and let m: Z"*" — > N be a polynomially bounded function. For 
each X G S", let px and cr^ be mixed states of m(|x|) qubits. The ensembles {px'- x ^ S} and {ax'- x ^ S} wq 
polynomially quantum indistinguishable if, for every choice of 

• polynomially bounded functions k,p,s: Z+ N, 

• an ensemble {^x '■ x G S}, where ^x is a mixed state of k{\x\) qubits, and 

• an (m(|a;|) + A;(|x|))-in 1-out quantum circuit Q of size at most s(|x|), 
it holds that 

\{l\Q{Px ® Cx)\l) - (1|QK ® ^x)\l)\ < 

for all but finitely many x G 5. 
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Next, the quantum computational indistinguishability between two ensembles of admissible transformations is 
defined as follows. 

Definition 3. Let S C {0, 1}* be an infinite set and let I, m: Z"*" — > N be polynomially bounded functions. For 
each X G 5, let and ^'^ be Z(|x|)-in m(|x|)-out admissible transformations. The ensembles {^^ ■ x £ S} and 
{^x ■ X £ S} are polynomially quantum indistinguishable if, for every choice of 

• polynomially bounded functions k,p,s: Z+ N, 

• an ensemble {^x ■ x € S}, where ^x is a mixed state of ^(|x|) + A;(|x|) qubits, and 

• an (m(|x|) + /i:(|x|))-in 1-out quantum circuit Q of size at most s(|x|), 
it holds that 

|(l|g(($,®/2fe(N))(ex))|l>-(l|Q((*x®/2MW))fe))|l)| < 

for all but finitely many x S 5. 

In what follows, we will often use the term "computationally indistinguishable" instead of "polynomially quan- 
tum indistinguishable" for simplicity. Also, we will often informally say that mixed states px and Gx or admissi- 
ble transformations <^x and '^x are computationally indistinguishable when x G 5 to mean that the ensembles 
{px : X G 5"} and {ax : x G 5} or {<^x : x G 5"} and {^x : x G 5} are polynomially quantum indistinguishable. 



2.4 Quantum Zero-Knowledge Proofs 

For readability, in what follows, the arguments x and n are dropped in the various functions, if it is not confusing. 
It is assumed that operators acting on subsystems of a given system are extended to the entire system by tensoring 
with the identity, since it will be clear from context upon what part of a system a given operator acts. Although 
all the statements in this paper can be proved only in terms of languages without using promise problems 161, 
in what follows we define models and prove statements in terms of promise problems, for generality and for the 
compatibility with some other studies on quantum zero-knowledge proofs lf32ll2Tl[34l [3l. 

First we define the notions of various honest-verifier quantum zero-knowledge proofs following a manner 
in Ref. |[32l for the statistical zero-knowledge case. Given a quantum verifier V and a quantum prover P, let 
viewy p(x,j) be the quantum state that V possesses immediately after the jth transformation of P during an 
execution of the protocol between V and P. In other words, viewy p(x,j) is the state obtained by tracing out the 
private space of P from the state of the entire system immediately after the jth transformation of P. 

Now we define the classes HVQPZK(m, c, s), HVQSZK(m, c, s), and HVQZK(m, c, s) of problems having 
m-message honest-verifier quantum perfect, statistical, and computational zero-knowledge proof systems, respec- 
tively, with completeness accepting probability at least c and soundness accepting probability at most s. 

Definition 4. Given a polynomially bounded function m: Z+ N and functions c, s: Z"*" — > [0, 1], a problem 
A = {^yes,^no} is in HVQPZK(?Ti, c, s) iff there exists an m-message honest quantum verifier V and an m- 
message honest quantum prover P such that 

(Completeness and Soundness) {V, P) forms an m-message quantum interactive proof system with completeness 
accepting probability at least c and soundness accepting probability at most s, 

(Honest- Verifier Perfect Zero-Knowledge) there exists a polynomial-time preparable ensembles {5'y(x,j)} of 
quantum states such that S'y(x, j) = viewy^p(x, j) for every x G Ay^s and for each 1 < j < [" "^ ^^^^ J . 
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Definition 5. Given a polynomially bounded function m: Z"*" N and functions c, s: Z+ [0, 1], a problem 
A = {Ayes, Ano} is in HVQSZK(m, c, s) iff there exists an m-message honest quantum verifier V and an m- 
message honest quantum prover P such that 

(Completeness and Soundness) {V, P) forms an m-message quantum interactive proof system with completeness 
accepting probability at least c and soundness accepting probability at most s, 

(Honest- Verifier Statistical Zero-Knowledge) there exists a polynomial-time preparable ensembles {Sv{x,j)} of 
quantum states such that \\Sv{x,j) — viewy^p(x, j)||tr is negligible with respect to \x\ for all but finitely 
many (x,j)G Ayes x{l,...,[!lf^]}. 

Definition 6. Given a polynomially bounded function m: Z"*" —>■ N and functions c, s: Z+ — > [0, 1], a problem 
A = {Ayes, Ano} is in HVQZK(m, c,s) iff there exists an m-message honest quantum verifier V and an m- 
message honest quantum prover P such that 

(Completeness and Soundness) {V, P) forms an m-message quantum interactive proof system with completeness 
accepting probability at least c and soundness accepting probability at most s, 

(Honest- Verifier Computational Zero-Knowledge) there exists a polynomial-time preparable ensembles 
{Svix,j)} of quantum states such that the ensembles {5y(x,j) : x £ Ayes and j G {l, . . . , }} 
and { viewy,p(x, j) : x £ Ayes and j G { 1, . . . , [" ™'^^^^-' ] } } are polynomially quantum indistinguishable. 

Remark. In the original definition of honest- verifier quantum statistical zero-knowledge by Watrous |[32l . the sim- 
ulator is required to simulate the quantum state that V possesses immediately after the jth message, for every j. 
That is, regardless of whether the jth message is sent from P or from V, the simulator must be able to simulate 
the quantum state that V possesses immediately after the jth message. In our definition, the simulator is required 
to simulate it only when the jth message is from P. Notice, however, that every transformation of V is necessarily 
simulatable by the simulator, which implies that our condition is sufficient and does not weaken the honest- verifier 
zero-knowledge property. 

Using these, we define the classes HVQPZK, HVQSZK, and HVQZK of problems having honest-verifier 
quantum perfect, statistical, and computational zero-knowledge proof systems, respectively. 

Definition 7. A problem A = {ylycs, ^no} is in HVQPZK if there exists a polynomially bounded function 
m : Z+ ^ N such that A is in HVQPZK (m, | , i) . 

Definition 8. A problem A = {Ayes, A^o} is in HVQSZK if there exists a polynomially bounded function 
m: Z+ ^ N such that A is in HVQSZK (m, |, 1). 

Definition 9. A problem A = {Ayes,Aao} is in HVQZK if there exists a polynomially bounded function 
m : Z+ ^ N such that A is in HVQZK (m, | , i) . 

Note that it is easy to see that we can amplify the success probabiUty of honest-verifier quantum per- 
fect/statistical/computational zero-knowledge proof systems by a sequential repetition, which justifies Defini- 
tions |71[8l and 121 

Next we define the notions of various quantum zero-knowledge proofs following a manner in Ref. ll34l . 

Let V be an arbitrary quantum verifier. Suppose that V possesses some auxiliary quantum state in D(,A) at the 
beginning for some Hilbert space A, and possesses some quantum state in D(Z) after the protocol for some Hilbert 
space Z. For such V, for any quantum prover P, and for every x G {0, 1}*, let {V, P){x) denote the admissible 
transformation in T(,A, Z) induced by the interaction between V and P on input x. We call this {V, P){x) the 
induced admissible transformation from V, P, and x. 
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We define the classes QPZK(m, c, s), QSZK(m, c,s), and QZK(m,c, s) of problems having m-message 
quantum perfect, statistical, and computational zero-knowledge proof systems, respectively, with completeness 
accepting probability at least c and soundness accepting probability at most s, as follows. 

Definition 10. Given a polynomially bounded function m: Z+ N and functions c, s: Z+ [0, 1], a problem 
A = {Ayes, ^no} is in QPZK(m, c, s) iff there exists an m-message honest quantum verifier V and an m-message 
honest quantum prover P such that 

(Completeness and Soundness) (V, P) forms an m-message quantum interactive proof system with completeness 
accepting probabiUty at least c and soundness accepting probability at most s, 

(Perfect Zero-Knowledge) for any m-message quantum verifier V', there exists a polynomial-time uniformly gen- 
erated family {Qx} of quantum circuits, where each exactly implements an admissible transformation 
Sv'{x), such that 5y'(x) = {V',P){x) for every x G Ayes, where {V',P){x) is the induced admissible 
transformation from V', P, and x. 

Definition 11. Given a polynomially bounded function m: Z+ ^ N and functions c, s: Z+ ^ [0, 1], a problem 
A = {Ayes, ^no} is in QSZK(m, c, s) iff there exists an m-message honest quantum verifier V and an m-message 
honest quantum prover P such that 

(Completeness and Soundness) (V, P) forms an m-message quantum interactive proof system with completeness 
accepting probabiUty at least c and soundness accepting probability at most s, 

(Statistical Zero-Knowledge) for any m-message quantum verifier V', there exists a polynomial-time uniformly 
generated family {Qx} of quantum circuits, where each Qx exactly implements an admissible transformation 
Sv (x), such that \\Sv' (x) — {V , P) (x) ||o is negligible with respect to |a:| for all but finitely many x G Ayes, 
where {V, P){x) is the induced admissible transformation from V, P, and x. 

Definition 12. Given a polynomially bounded function m: Z+ — >^ N and functions c, s : Z+ [0, 1], a problem 
A = {Ayes, Ano} is in QZK(m, c, s) iff there exists an m-message honest quantum verifier V and an m-message 
honest quantum prover P such that 

(Completeness and Soundness) (V, P) forms an m-message quantum interactive proof system with completeness 
accepting probabiUty at least c and soundness accepting probability at most s, 

(Computational Zero-Knowledge) for any m-message quantum verifier V', there exists a polynomial-time uni- 
formly generated family {Qa;} of quantum circuits, where each Qx exactly implements an admissible trans- 
formation Sv'{x), such that the ensembles {Sv'{x) : x G Ayes} and {(V^', P){x) : x G Ayes} are polynomi- 
ally quantum indistinguishable, where {V', P){x) is the induced admissible transformation from V', P, and 

X. 

Using these, we define the classes QPZK, QSZK, and QZK of problems having quantum perfect, statistical, 
and computational zero-knowledge proof systems, respectively. 

Definition 13. A problem A = {Ayes, Ano} is in QPZK if there exists a polynomially bounded function 
m : Z+ ^ N such that A is in QPZK (m, | , i) . 

Definition 14. A problem A = {Ayes, Ano} is in QSZK if there exists a polynomially bounded function 
m: Z+ ^ N such that A is in QSZK (m, |, i). 
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Definition 15. A problem ^4 = {^ycs, ^no} is in QZK if there exists a polynomially bounded function 
m: Z+ ^ N such that A is in QZK (m, |, i). 

Note that again it is not hard to see that we can amplify the success probability of quantum per- 
fect/statistical/computational zero-knowledge proof systems by a sequential repetition, which justifies Defini- 
tions [El [Ml and [El 

Remark. It is noted that, in the classical case, the most common definition of perfect zero-knowledge proofs seems 
to allow the simulator to output "FAIL" with small probability, say, with probability at most ^ |8, 28]. Adopting 
this convention leads to alternative definitions of honest- verifier and general quantum perfect zero-knowledge proof 
systems. At a glance, these two types of definitions seem likely to form different complexity classes of quantum 
perfect zero-knowledge proofs. Fortunately, it is proved from our results shown in Section [3] that it is not the case 
and the two types of definitions result in the same complexity class of quantum perfect zero-knowledge proofs. It 
is stressed that such equivalence is not known in the classical case. See Section [6] for further discussions on the 
definitions of quantum perfect zero-knowledge. 

3 Perfect Zero-Knowledge Case 

We first discuss the case of quantum perfect zero-knowledge proofs. This gives a unified framework that works well 
for all of quantum perfect, statistical, and computational zero-knowledge proofs. Although we need very careful 
modifications of the protocols that ai^e necessary only for the perfect zero-knowledge case, once we have presented 
how to modify the protocols, we can avoid complications arising from imperfect zero-knowledge conditions when 
proving zero-knowledge property. Indeed, the cases of quantum computational and statistical zero-knowledge 
proofs are proved in almost same ways, as will be discussed later, except that we need bit more complicated 
arguments when proving zero-knowledge conditions. 

3.1 Parallelization of Honest- Verifier Quantum Perfect Zero-Knowledge Proof Systems 

This subsection proves that any honest-verifier quantum perfect zero-knowledge proof system that involves poly- 
nomially many messages can be parallelized to one that involves only three messages. 

In the case of usual quantum interactive proofs, Kitaev and Watrous |[20l proved the parallelizability to three 
messages. Here we modify their method so that it works well with honest- verifier quantum perfect zero-knowledge 
proofs. Actually, the method due to Kitaev and Watrous works well even in the cases of honest-verifier quantum 
statistical or computational zero-knowledge proofs (if the completeness error is negligible, which may be assumed 
without loss of generality since the success probability can be amplified by sequential repetition), and thus, we do 
not need our modified version in these cases. However, we do need our modified version in the case of honest- 
verifier quantum perfect zero-knowledge proofs, since the Kitaev-Watrous method may not preserve the perfect 
zero-knowledge property for proof systems of imperfect completeness. We explain this in more detail. 

The main idea in the original parallelization protocol in Ref. lf20l is that the verifier receives each snapshot state 
of the underlying protocol as the first message, and then checks if the following three properties are satisfied: (i) the 
first snapshot state is a legal state in the underlying protocol after the first message, (ii) the last snapshot state can 
make the original verifier accept, and (iii) any two consecutive snapshot states are indeed transformable with each 
other by one round of communication. In order to check these three, at the first transformation of the verifier in the 
original parallelization protocol in Ref. flO^I, he first checks if the conditions (i) and (ii) really hold for the received 
snapshot states, which aims to prevent a dishonest prover from preparing any illegal sequence of snapshot states 
that can pass the check for the condition (iii) by violating the conditions on the initial and last snapshot states. The 
problem arises here, in the check for the last snapshot state, when we want to parallelize a protocol of honest- verifier 
quantum perfect zero-knowledge with imperfect completeness. Because of imperfect completeness, the verifier's 
check can fail even if the honest prover prepares every snapshot state honestly, which means that the verifier's check 
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causes a small perturbation to the snapshot states. Now we have difficulty in perfectly simulating the behavior of 
the honest prover with respect to this perturbed state, which causes the loss of the perfect zero-knowledge property. 

To avoid this difficulty, we modify the parallelization protocol as follows. Our basic idea is to postpone the 
verifier's check for the last snapshot state until after the third message. At the final verification of the verifier, 
he either carries out the postponed check for the last snapshot state with probability ^, or just carries out the 
original final verification procedure with probability i. Now the honest- verifier perfect zero-knowledge property 
becomes straightforward, since there is no perturbation to all the snapshot states until after the last transformation 
of the verifier. The completeness property cannot become worse than that in the original protocol. However, the 
soundness condition now becomes a bit harder to prove, because we can no longer assume that a sequence of 
snapshot states prepared by a dishonest prover satisfies the condition (ii), when analyzing the probability to pass 
the transformability test for (iii). To overcome this, we show a general property in quantum information theory in 
Lemma [T6l which is a generalization of Lemma 5 in Ref. ||20]| . This generalization enables us to analyze the case 
in which the last snapshot state may not necessarily make the original verifier accept, and thus, has much more 
flexibility than Lemma 5 in Ref. flOl, which is applicable only to the case in which the last snapshot state makes 
the original verifier accept with certainty. 

Lemma 16. Let V and M be any Hilbert spaces. For a positive integer k > 2 and e, 5 G [0, 1] such that 
e < 5, suppose that a sequence of unitary operators Vi, . . . , T4 £ U(V and a projection operator H act- 
ing over V (8) onto some subspace ofV^M satisfy that \\IlVkPk-iVk~i • • • -Pi^ilOv^A^^p) IP ^ 1 ~ 6 for 
any Hilbert space V and any sequence of unitary operators Pi, ... , Pk^i G U(7W ® V). Then, for any sequence 
pi,...,Pk G D(V M) such that pi = \Ov<»m) {^v^mI and ivIiVkPkVy. > I - e, 



Proof. Let "P be a sufficiently large Hilbert space so that we can take a purification | ) G V (8) 7W (8) "P 
of pj for each 2 < j < k — 1, and let = \Qv®M®v)- Notice that IV'i) is a purification of pi, and 
Vjlipj) is a purification of VjpjVj, for each I < j < k — 1. Let Aj = 1 — F(tTj\^VjPjVj ,trji4Pj-^-i) for each 
1 < i < ^ — 1- It follows from Lemma [T] that there exists a unitary transformation Pj G U(7W (g) V) such that 

IllV'j+i) — i'jV^ lV'i)!! ^ Y^2Aj, for each I < j < k — 1. Hence we have 



Y^ntrMVjpjvj 



tvMPj+i) < (k-l) 



2{k-l) 



uVkm - nVkPk-iVk^i ■ ■ ■ PiFi|Vi)|| 

< \\Vkm-VkPk-iVk-i---PiVi\i;i) 

= \Uk) -Pk-iVk-i---PiVi\i^i)\\ 



k-2 



< lim -Pk-lVk-l\^Pk-l)\\ + Y.\\Pk-lVk-l■■■PJ+lV,+l\iJj+l) -Pk_^^^ 



3=1 



k-1 




On the other hand, 

WuVkmW < \\uVkm - nVkPk-iVk.i ■ ■ ■ PiVi\i,i)\\ + wnVkPk-iVk-i ■ ■ ■ PiVMM 



k-1 
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Notice that ||nVfc|'i/'fc)|| > a/I — ^> since 1^/;^) is a purification of and trUVkPkV^ > 1 — £■ Tlierefore, 



V2 



and tlius, 

Y,F{tTMV,p,vj,tvMPj^i) = E(i - = (fc - 1) - E^- < - 1) - ^^^^^TF^IT^' 

i=i i=i i=i ^ 

as desired. □ 

Using Lemma [161 we can show that our modified parallelization protocol above indeed works well, and we 
have the following lemma. 

Lemma 17. Let m : Z"*" — > N a polynomially bounded function and let e, 5 : Z+ — > [0, 1] be any functions such 
that m>Aand£< , Then, HVQPZK(m, 1 - e, 1 - 5) C HVQPZK (s, 1 - f , 1 



16{m+l)2 • ^ ' ^xvi^,,., X _ V K^j. ^v,, J. 21-^ 32(m+l) 

Proof. Let A = {Ayes,^no} be a problem in HVQPZK(m, \ — £,1 — 5) and let V be the corresponding m- 
message honest quantum verifier. For simplicity, it is assumed that m takes only even values (if m{n) is odd 
for some n € Z+, we modify the protocol so that the verifier sends a "dummy" message to a prover as the first 
message when the input has length n such that m{n) is odd). Let V be the quantum register consisting of all the 
qubits in the private space of V, and let M be that consisting of all the qubits in the message channel between V and 
the prover. For every input x, V applies Vj for his j'th transformation to the qubits in (V, M) for 1 < j < y + 1, and 
performs the measurement 11 = {Ilacc, Ilrej} at the end of the original protocol to decide acceptance or rejection. 
We construct a protocol of a three-message honest quantum verifier W. 

For every input x, at the first message the new verifier W receives quantum registers Vj and Mj from the 
prover, for 2 < j < ^ + 1, where each and Mj consist of the same number of qubits as V and M, respectively. 
W expects that the qubits in (Vj , Mj) form the quantum state the original m-message verifier V would possess just 
after the 2(j — l)-st message (i.e., just before the jth transformation of the verifier) of the original protocol, for 
2 < j < f + 1. 

Now W prepares quantum registers Vi and Mi, which consist of the same number of qubits as V and M, 
respectively, and also prepares single-qubit quantum registers X and Y. W initializes all the qubits in Vi and Mi 
to state |0), while prepares |$+) = -ij(|0)|0) + |1)|1)) in (X, Y). W then chooses r e {l, . . . , y} uniformly at 
random, applies Vr to the qubits in (V^., M,.), and sends Y and together with r to the prover. 

At the third message, W receives the quantum registers Y and M,. from the prover. Now W chooses b G {0, 1} 
uniformly at random. \i b = {),W applies Vhl+i to the qubits in (Vm_|_i, M™_|_i), and accepts if and only if the 
content of (VHL_|_i,Mm^j^) corresponds to an accepting state in the original protocol. On the other hand, if 6 = 1, 
W first performs a controUed-swap between (V^, M,.) and (V^+i, M^+i) using the qubit in X as the control, then 
performs a controUed-not over the qubits in (X, Y) again using the qubit in X as the control, and finally applies the 
Hadamard transformation to the qubit in X. W accepts if and only if the qubit in X is in state |0). 

The precise description of the protocol of W is found in Figure [T] 

For the completeness, suppose that the input x is in Ayes. 

Let P be the m-message honest quantum prover for the original proof system, and let P be the quantum register 
consisting of all the qubits in the private space of P. Denote hy V, M., and V the Hilbert spaces corresponding 
to the registers V, M, and P, respectively. Let = \Qv®M®v) be the quantum state in (V, M,P), and let 
IV'j) G V "P be the quantum state in (V, M, P) just after the 2(j — l)-st message (i.e., just before the jth 
transformation of the verifier) of the original protocol if V communicates with P on input x, for 2 < j < ^ + 1. 
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Honest Verifier's Three-Message Protocol 

1. Receive quantum registers Vj and Mj from the prover, for 2 < j < ^ + 1. 

2. Prepare quantum registers Vi and Mi and single-qubit quantum registers X and Y. Initialize all the qubits 
in Vi and Mi to state |0), and prepare |$+) = ^(|0)|0) + |1)|1)) in (X,Y). Choose r E {l,... uni- 
formly at random and apply Vr to the qubits in (V^, M^). Send Y and M^ together with r to the prover. 

3. Receive the quantum registers Y and M,. from the prover. Choose b G {0, 1} uniformly at random. 

3.1 If 6 = 0, do the following: 

Apply V™._|_i to the qubits in (V^^^, M^+i). Accept if the content of (V™+i, Mm+i) con^esponds to 
an accepting state in the original protocol, and reject otherwise. 

3.2 If 6 = 1, do the following: 

Perform a controlled-swap between (V^, M^) and (V^+i, M^+i) using the qubit in X as the control, 
and then perform a controlled-not over the qubits in (X, Y) again using the qubit in X as the control. 
Apply the Hadamard transformation to the qubit in X. Accept if the qubit in X is in state |0), and reject 
otherwise. 



Figure 1 : Honest verifier's three-message protocol. 

Let R be the honest quantum prover in the constructed three-message system. In addition to the registers Vj 
and Mj, R prepares the quantum register Pj in his private space, for 1 < j < y + 1, where each Pj consists of the 
same number of qubits as P. i? prepares |0-p) in Pi so that the qubits in (Vi, Mi, Pi) form \ ipi). At the first message 
of the constructed protocol, R generates \Tpj) in (Vj, Mj, Pj), and sends Vj and Mj to W, for each 2 < j < y + 1. 

At the third message, if R receives r together with the registers Y and M^, R applies to the qubits in 
(Mr, Pr), where Pj is the jth transformation of the original prover P for each 1 < j < ^'^^ then performs a 
controlled-swap between P^ and Pr+i using the qubit in Y as the control. R then sends Y and M^ back to W. 

It is obvious that R can convince W with probability at least 1 — e if 6 = is chosen by W at StepO since the 
qubits in (Vm_(_i, M m+i) form the quantum state tr■p\^plR^l){^pln.J^l\■ From the construction of R, it is also routine 
to show that R can convince W with certainty if 6 = 1 is chosen by W at Step[3l since P^^rl^r) = iV'r+i) for any 
r chosen from {l, . . . , y |. Hence, W accepts every input x G Ayes with probability at least 1 — |- 

Next, for the soundness, suppose that the input x is in ylno- 

Let R' be any three-message quantum prover for the constructed proof system. Let pj G D(V (8) A4) be the 
reduced state in (Vj, Mj) of the entire system state just after the first transformation of R', for each 1 < j < y + 1. 
Consider the case in which W chooses r from |l, . . . , y} in Step |2] and also chooses 6 = 1 at Step [3] Then 

the probability that R' can convince W in this case cannot be larger than | + ^ F {tr mVt- PrVr ,tTMPr+i) by an 
argument similar to that in the proof of Theorem 4 in Ref. ll20l . Hence, the probability that R' can convince W 

771 . 

when 6 = 1 is chosen at Step[3]is at most ^ + ^ S/=i ^{^''^MVjPjVj ,trMPj+i)- 
Now, if trnaccV^^+i/5^+iVrL_(_i > 1 — |> Lemma [T6] implies that 

m 
2 

^ F(tTMVjPjVj ,tvMPj+i) 
-Y~m\\l ~4~ 
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and thus, the probabihty that R! can convince W when 6 = 1 is chosen is at most h + ^ ~ ) 



16m J ^ mm?- 

On the other hand, if trllacc^si+i/Oia-LiVl , , < 1 — |, it is obvious that R' can convince W with probabihty 

2 2 2 ~'~ 

at most 1 — J < 1 — if 6 = is chosen by W at Step |3j since the qubits in Vir^i and are never 

touched by the prover after Step[T] 

Hence the probability that R' can convince W for every input x G A^o is at most 1 — g^p-- Taking it into 

account that m(n) may be odd for some n G Z"*", we have the bound of 1 — ^2{m+i)'^ ■ 
Finally, the perfect zero-knowledge property against W is almost straightforward. 

Let Sy be the simulator for the original m-message system such that, if x is in Ay^s, the states Sv{x,j) and 
Yiewv,p{x,j) are identical for each I < j < y- 

The simulator Tyy for the constructed three-message system behaves as follows. For convenience, let R be the 
quantum register that is used to store the classical information r chosen by W, and let Sv{x, 0) = |0v(g)A^)(0v(g)A^ |- 

To simulate the state just after the first transformation of the prover R, Tw prepares the state Sv{x,j — 1) in 
(Vj, Mj), for each 2 < j < ^ + 1, and outputs the state in (V2, M2, . . . , M m_^^) as Tw{x, 1). 

To simulate the state just after the second transformation of the prover R, T\y first chooses r G {l, . . . , ^| 
uniformly at random, and sets the content of R to r. Next Tyy prepares the state 5y(x, j — 1) in (Vj, Mj), for each 
^ < j < r — I and r + l<j<Y + l, and prepares the state Sv{x, r) in (V,., M^). Tw then prepares the state 
|<1>^) in (X, Y), and performs a controlled-swap between (Vr, Mj.) and (Vf+i, M^+i) using the qubit in X as the 
control. Now Tw outputs the state in (R,X, Y, Vi, Mi, . . . , Vm_^^, Mm+i) as Tw{x,2). 

It is obvious that the ensemble {Tw{x,j)} is polynomial-time preparable. 

Suppose that x is in ^yes- 

That Tw{x, 1) = Y\eww,R{x, 1) is obvious from the fact that Sv{x,j) = viewyp(x, j) for 1 < j < 
To show that T\y{x,2) = viewi4/,j:j(x, 2), let viewy p{x,Q) = Sv{x,G) = |0v®a^)(0v®x|, for convenience. 
Let (Tr and be the quantum states in (R, X, Y, Vi, Mi, ... , M M m+i) such that 



(TTl \ 
X, —j 

and 

= \r){r\ (g) |^>+)($+| 

viewy^p(x, 0) • • • (8) viewv^^p(x, r — 2) viewv,p(2;, r) (g) viewy^p(x, r) (g) • • • (g) viewy^p ^x, — 

for each I < r < y- Then, we have ar = for each 1 < r < y, since Sv{x,j) = viewy.p(x, j) for < j < y- 
For each 1 < r < cr'r ^^id ^'r be the quantum states obtained by performing a controlled-swap between 

(Vr, Mr) and (V^+i, M^+i) on ar and ^r, respectively, using the qubit in X as the control. Obviously, a'r = 

m 

for each 1 < r < y. By definition, Tw{x,2) = ^Ylr=i'^r- Furthermore, vieww,R{x,2) is exactly the state 

m 

§i I]r=i C- Now that rvy(x, 2) = viewwM^^ 2) follows from the fact that a', = for each 1 < r < y. 

Hence the honest-verifier perfect zero-knowledge property against W follows. □ 

Next we show that the parallel repetition theorem for three-message quantum interactive proofs may be ex- 
tended to the case of three-message honest-verifier quantum perfect zero-knowledge proof systems. 

Lemma 18. Let c, s : Z'*' [0, 1] be any functions such that c > s. Then, for any polynomially bounded function 
/c : Z+ ^ N, HVQPZK(3, c, s) C HVQPZK(3, c'', s^). More strongly, let U be any three-message honest-verifier 
quantum perfect zero-knowledge proof system for a problem A = {^yes, ^no} with completeness accepting proba- 
bility at least c{n) and soundness accepting probability at most s{n)for every input of length n. Consider another 
proof system IT' such that, for every input of length n, IT' carries out k{n) attempts ofH in parallel and accepts iff 
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all the k{n) attempts result in acceptance in H. Then 11' is a three-message honest-verifier quantum perfect zero- 
knowledge proof system for A with completeness accepting probability at least c(n)'^(") and soundness accepting 
probability at most s{n)^^^^ for every input of length n. 

Proof. The completeness and soundness conditions follow from the proof of Theorem 6 in Ref. [20|. The honest- 
verifier perfect zero-knowledge property is trivial. Let V be the honest quantum verifier in the original three- 
message system IT and let Sy be the corresponding simulator such that, if x is in Ayes, the state Sv{x,j) perfectly 
simulates V's view after the jth transformation of the honest quantum prover, for each 1 < j < 2. Let W be the 
honest quantum verifier in the constructed three-message system 11'. For every x and for each I < j < 2, the 
simulator Tw for H' just outputs Twix,j) = Sy (x , Now the honest-verifier perfect zero-knowledge 

property is obvious. □ 

From Lemmas [TT] and [TSl it is immediate to show the following lemma. 

Lemma 19. For any polynomially bounded function p-.Z+^N, HVQPZK C HVQPZK(3, 1 - 2"^ , 2"^ ). 

Proof. By sequential repetition, we can show that, for any polynomially bounded function m : Z+ N, for 
any functions c, s: Z+ [0, 1] that satisfy c — s > | for some polynomially bounded function q: Z+ N, 
and for any polynomially bounded function p : Z+ —>■ N, there exists a polynomially bounded func- 
tion m' : Z+ ^ N such that HVQPZK(m, c, s) C HVQPZK(m', 1 - 2"^", 2-^'). Now Lemma [17] implies 

that HVQPZK(m', 1 - 2-^', 2-^') C HVQPZK ^3, 1 - 2-p'~\ 1 - ^^^;t^^ ■ Finally, by parallel repe- 
tition for sufficiently many times (say, for 32p{\x\){m' {\x\) -\- 2)^ times), from Lemma [T8l we have that 
HVQPZK ^3, 1 - 2-P'-\ 1 - ^2em7^i)' ) ^ HVQPZK(3, 1 - 2'P, 2-p), which completes the proof. □ 

3.2 Converting Honest- Verifier Quantum Perfect Zero-Knowledge Proofs to Public-Coin Systems 

Next we show that any three-message honest-verifier quantum perfect zero-knowledge system can be modified to 
a three-message public-coin one in which the message from the verifier consists of only one classical bit. Mar- 
riott and Watrous [231 showed such a claim in the case of usual quantum interactive proofs. We show that their 
construction preserves the honest-verifier perfect zero-knowledge property. 

Lemma 20. Let e, 6: Z+ [0, 1] be any functions that satisfy 6 > 1 — {1 — e)^. Then, any problem having a 
three-message honest-verifier quantum perfect zero-knowledge system with completeness accepting probability at 
least 1 — e and soundness accepting probability at most 1 — 5 has a three-message public-coin honest-verifier 
quantum perfect zero-knowledge system with completeness accepting probability at least 1 — | and soundness 

accepting probability at most ^ + ^^-^^ in which the message from the verifier consists of only one classical bit 

Proof. The proof is essentially same as that of Theorem 5.4 in Ref. (23] except for the zero-knowledge property. 

Let A = {Ayes, A-no} be a problem in HVQPZK (3, 1 — e,l — 6) and let V be the corresponding three-message 
quantum verifier. Let V be the quantum register consisting of all the qubits in the private space of V, and let M be 
that consisting of all the qubits in the message channel between V and the prover. For every input x, V applies Vi 
and V2 on the qubits in (V, M) for his first and second transformations, respectively. We construct a protocol of a 
three-message public-coin quantum verifier W. 

For every input x, at the first message the constructed verifier W receives the quantum register V from the 
prover. W expects that the prover prepares the quantum register M in his private space and the qubits in (V, M) 
form the quantum state the original verifier V would possess just after the second message (i.e., just after the first 
transformation of V) of the original protocol. 

At the second message, W chooses b e {0,1} uniformly at random and sends b to the prover. 
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Honest Verifier's Protocol in Three-Message Public-Coin System 

1 . Receive a quantum register V from the prover. 

2. Choose b G {0, 1} uniformly at random. Send b to the prover. 

3. Receive a quantum register M from the prover. 

3.1 If 6 = 0, apply V2 to the qubits in (V, M). Accept if the content of (V, M) corresponds to an accepting 
state of the original protocol, and reject otherwise. 

3.2 If 6 = 1, apply to the qubits in (V, M). Accept if all the qubits in V are in state |0), and reject 
otherwise. 



Figure 2: Honest verifier's protocol in a three-message public-coin system. 

If 6 = 0, the prover is requested to send M, so that the qubits in (V, M) form the quantum state the original 
verifier V would possess just after the third message (i.e., just after the second transformation of the prover) of 
the original protocol. Now W applies V2 to the qubits in (V, M) and accepts if and only if the content of (V, M) 
corresponds to an accepting state of the original protocol. 

On the other hand, if b = 1, the prover is requested to send M so that the qubits in (V, M) form the quantum 
state the original verifier V would possess just after the second message (i.e., just after the first transformation of 
V) of the original protocol. Now W applies to the qubits in (V, M) and accepts if and only if all the qubits in V 
are in state |0). 

The precise description of the protocol of W is found in Figure |2l 
First suppose that the input x is in vlyes- 

Let P be the three-message honest quantum prover for the original proof system, and let P be the quantum 
register consisting of all the qubits in the private space of P. Let IV'2) be the quantum state in (V, M, P) just after 
the second message (i.e., just after the first transformation of V) of the original protocol if V communicates with 
P on input x. 

Let R be the honest prover in the constructed public-coin system. In addition to the registers V and M, R 
prepares the quantum register P in his private space. At the first message of the constructed protocol, R first 
generates in (V, M, P) and then sends V to W. 

At the third message of the constructed protocol, if b = 0, R first applies P2 to the qubits in (M, P), and then 
sends M to W, where P2 is the second transformation of the original prover P on input x in the original protocol, 
while if 6 = 1, i? does nothing and just sends M to W. 

It is obvious that R can convince W with probability at least 1 — e if 6 = 0, and with certainty if 6 = 1. Hence, 
W accepts every input x G ylycs with probability at least 1 — |- 

The soundness property for the case the input x is in A^o follows with exactly the same argument as in the 
proof of Theorem 5.4 in Ref. |[23l . 

Finally, the perfect zero-knowledge property against W is almost straightforward. 

Let Sv be the simulator for V in the original system such that, if x is in Ayes, the states Sv{x,j) and 
Yiewv,p{x, j) are identical for each 1 < j < 2. Let M be the Hilbert space corresponding to the quantum reg- 
ister M. The simulator Tw for the constructed public-coin system behaves as follows. For convenience, let R be 
the single-qubit register that is used to store the classical information representing the outcome 6 of a public coin 
flipped by W. 
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Let Tiv{x, 1) and T\y{x, 2) be quantum states in V and in (R, V, M), respectively, defined by 



Tw{x,l) = trMViSv{x,l)V^, 

Tw{x,2) = ^[\0){0\^Sv{x,2) + |1)(1| {ViSv{x,l)vl)]. 

It is obvious that the ensemble {Tw{x,j)} is polynomial-time preparable. 

Suppose that x is in Ayes- It is obvious that Tw{x, 1) = vieww,R{x, 1), since Tw{x, 1) = tr^'Vi5y(x, 1)V^ , 
view{W, R)i = tr;v(yiviewv_p(x, and Sv{x,l) = viewv,p(x, 1). The fact Tw{x,2) = Yieww,R{x,2) 

follows from the properties vieww,R{x,2) = ^[\0){0\ (g) viewv,p{x,2) + (g) (yiYiewv,p{x,l)Vi)], 
Sv{x, 1) = viewv^,p(x, 1), and 2) = viewy^p(x, 2). 

Hence the claim follows. □ 



3.3 HVQPZK = QPZK 

First notice that the quantum rewinding technique due to Watrous (34] perfectly works well for any three-message 
public-coin honest-verifier quantum perfect zero-knowledge protocol in which the message from the verifier con- 
sists of only one classical bit. That is, we can show the following lemma. 

Lemma 21. Any three-message public-coin honest-verifier quantum perfect zero-knowledge system such that the 
message from the verifier consists of only one classical bit is perfect zero-knowledge against any polynomial-time 
quantum verifier 

Proof. Let A = {Ayes, Ano} be a problem having a three-message public-coin honest- verifier quantum perfect 
zero-knowledge system such that the message from the verifier consists of only one classical bit. Let V and P be 
the corresponding three-message public-coin honest quantum verifier and three-message honest quantum prover, 
respectively. Let M and N be the quantum registers consisting of all the qubits sent to V at the first message and 
of those at the third message, respectively, and let R and S be the single-qubit registers that are used to store the 
classical information representing the outcome 6 of a public coin flipped by V, where R is inside the private space 
of V and S is sent to P. 

Let Sy be the simulator for V such that, if x is in Ayes, the states Sv{x, 1) and viewyp(x, 1) consisting 
of qubits in M are identical and the states Sv{x, 2) and viewv,p(x, 2) consisting of qubits in (M, N, R) are also 
identical. 

Consider a generating circuit Q of the quantum state Sv{x, 2). Without loss of generality, it is assumed that Q 
acts over the qubits in (M, N, R, A), where A is the quantum register consisting of qj\^ qubits for some polynomially 
bounded function : Z+ N. 

For any polynomial-time quantum verifier W and any auxiliary quantum state p for W stored in the quantum 
register X inside the private space of W, we construct an efficiently implementable admissible mapping <I> that 
corresponds to a simulator Tw for W . Without loss of generality it is assumed that the message from W consists 
of a single classical bit, since the honest prover can easily enforce this constraint by measuring the message from 
the verifier before responding to it. Let W be the quantum register consisting of all the qubits in the private space 
of W except for those in X and M after having sent the second message. We consider the procedure described in 
Figure [3l which is the implementation of 

Suppose that the input x is in Ayes. 

Since the state viewy_p(a;, 2) can be written of the form viewv'^p(a;, 2) = ^(cjo |0)(0| + cri |1)(1|) 
for some quantum states ctq and o"i in (M,N), the state Sy{x,2) must also be of the form 
Sv{x,2) = \{(JQ |0)(0| + 0"! from the honest-verifier perfect zero-knowledge property. Therefore, 

the probability of obtaining |0) as the measurement result in Step[5]is exactly equal to ^ regardless of the auxiliary 
quantum state p, because trj>/ao = tTj\fai holds from the honest-verifier perfect zero-knowledge property of the 
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Simulator for General Verifier W 

1. Store the auxiliary quantum state p in the quantum register X. Prepare the quantum registers S, W, M, N, R, 
and A, and further prepare a single qubit quantum register F. Initialize all the qubits in F, S, W, M, N, R, and 
A in state |0). 

2. Apply the generating circuit Q of the quantum state Sv{x, 2) to the qubits in (M, N, R, A). 

3. Apply Wi to the qubits in (S, W, X, M), where Wi is the first transformation of the simulated verifier W. 

4. Compute the exclusive-or of the contents of R and S and write the result in F. 

5. Measure the qubit in F in the {|0), |1)} basis. If this results in |0), output the qubits in (W,X, M, N, R), 
otherwise apply to the qubits in (S, W, X, M) and then apply to the qubits in (M, N, R, A). 

6. Apply the phase-flip if all the qubits in F, S, W, M, N, R, and A are in state |0), apply Q to the qubits in 
(M, N, R, A), and apply Wi to the qubits in (S, W, X, M). Output the qubits in (W, X, M, N, R). 



Figure 3: Simulator for a general verifier W. 

protocol, where J\f is the Hilbert space corresponding to N (recall that when communicating with the honest verifier 
V, the qubits in M are never touched by V until the final transformation of V). 

Let = IliWi{\Os(g>w) {Os(^w\ o-j \i){i\)wlUi be an unnormalized state in (S,W,X, M, N, R) for 

each i G {0, 1}, where Ilj = is the projection operator over the qubit in S, and S and W are the Hilbert 
spaces corresponding to S and W, respectively. Then, conditioned on the measurement result being |0) in Step|5l 
the output is the state tr5(^o + Ci)- 

Noticing that tr^ is exactly the state the verifier W would possess after the third message when the second 
message from W is i and that the probability of the second message from W being i is exactly equal to tr^j for 
each i G {0, 1}, tr5(^o + Ci) = tr,^o • tr^^ll^ + tr^i • tr^^j^ is exactly the state W would possess after the third 
message. Thus, the quantum rewinding technique due to Watrous i34l perfectly works well, which is implemented 
in Steps|5]and[6l 

This ensures the perfect zero-knowledge property against W, which completes the proof. □ 

From Lemma 1211 it is immediate to show that HVQPZK = QPZK, i.e., honest- verifier quantum perfect zero- 
knowledge equals general quantum perfect zero-knowledge. 

Theorem 22. HVQPZK = QPZK. 

Proof. That HVQPZK D QPZK is trivial and we show that HVQPZK C QPZK. Now Lemma ED together with 
Lemmas [H and |20] implies that HVQPZK C QPZK (s, 1 - I'P, \ + for any polynomially bounded 

function -p : Z+ — > N. Therefore, the fact that sequential repetition works well for the protocols of quantum zero- 
knowledge proofs establishes the statement. □ 

From the proof of Theorem[22l the following property also follows. 

Theorem 23. Any problem in QPZK has a public-coin quantum perfect zero-knowledge proof system. 
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4 Computational Zero-Knowledge Case 



4.1 HVQZK = QZK 

With essentially same arguments as in the perfect zero-knowledge case, we can show that honest-verifier quantum 
zero-knowledge equals general quantum zero-knowledge for the computational zero-knowledge case. 

First, we show the following lemma, which is the computational zero-knowledge version of Lemma [17] The 
proof is exactly the same as the proof of Lemma [TT] except for the zero-knowledge property and the honest-verifier 
computational zero-knowledge property can be proved by fairly straightforward hybrid arguments. 

Lemma 24. Let m : Z"*" N be a polynomially bounded function and let e, 5 : Z+ [0, 1] be any functions such 
that m>Aande< ^g^^'_^^)^ . Then, HVQZK(m, 1 - e, 1 - 5) C HVQZK (^3, 1 - |, 1 - j^S^Y 

Alternatively, we may show the computational zero-knowledge version of Theorem 4 in Ref. ||20| . 

Next we show that the parallel repetition theorem for three-message quantum interactive proofs may be ex- 
tended to the case of three-message honest-verifier quantum computational zero-knowledge proof systems, which 
is the the computational zero-knowledge version of Lemma[T8l Again the proof is exactly the same as the proof of 
LemmafTSlexcept for the zero-knowledge property and the honest-verifier computational zero-knowledge property 
can be proved by fairly straightforward hybrid arguments. 

Lemma 25. Let c, s : 'L^ [0, 1] be any functions such that c > s. Then, for any polynomially bounded function 
k: Z,~^ N, HVQZK(3, c, s) C HVQZK(3, c*^, s'^). More strongly, let H be any three-message honest-verifier 
quantum computational zero-knowledge proof system for a problem A = {Ayes, ^no} with completeness accepting 
probability at least c{n) and soundness accepting probability at most s{n) for every input of length n. Consider 
another proof system IT' such that, for every input of length n, li' carries out k{n) attempts of li in parallel and 
accepts iff all the k{n) attempts result in acceptance in li. Then 11' is a three-message honest-verifier quantum 
computational zero -knowledge proof system for A with completeness accepting probability at least c{n)''^"^ and 
soundness accepting probability at most s(n)'^*^") for every input of length n. 

Now Lemma |26] below follows from the essentially same argument as in the proof of Lemma [191 using Lem- 
mas |2l and [251 

Lemma 26. For any polynomially bounded function p: Z+ N, HVQZK C HVQZK(3, 1 — 2^^, 2~^). 

We can also show the following lemma, which is the computational zero-knowledge version of Lemma l20l 

Lemma 27. Let e, 5: Z+ [0, 1] be any functions that satisfy 6 > 1 — {1 — e)^. Then, any problem having a 
three-message honest-verifier quantum computational zero-knowledge system with completeness accepting prob- 
ability at least 1 — £ and soundness accepting probability at most 1 — 6 has a three-message public-coin honest- 
verifier quantum computational zero-knowledge system with completeness accepting probability at least 1 — § and 

soundness accepting probability at most ^ + ^^^^ in which the message from the verifier consists of only one 
classical bit. 

Proof. We use the same protocol construction as in the proof of Lemma [20] and we only show the zero-knowledge 
property. In what follows, we use the same notations as in the proof of Lemma [20l 

Let Sy be the simulator for the original system such that, if x is in Ayes, the states Sv{x,j) and viewy p(x,j) 
are computationally indistinguishable for each 1 < j < 2. Let M. be the Hilbert space corresponding to the quan- 
tum register M. As in the proof of Lemma |20l the simulator Tw for the constructed public-coin system behaves as 
follows. For convenience, as in the proof of Lemma |20l let R be the single-qubit register that is used to store the 
classical information representing the outcome 6 of a public coin flipped by W. 
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Let Tiv{x, 1) and T\y{x, 2) be quantum states in V and in (R, V, M), respectively, defined by 

Tw{x, 1) = tr^ViS'v(a;, l)V^ , 

Tw{x,2) = i[|0)(0| ® 5y(a;,2) + |1)(1| {ViSv{x,l)vl)]. 

It is obvious that the ensemble {Tw{x,j)} is polynomial-time preparable. 

Suppose that x is in ^yes- The computational indistinguishability between Tw{x,l) and 
vieww,R{x,l) is obvious since Tw{x,l) = tTMViSv{x,l)Vi < view(M/^, = tr^ Viviewv,p(x, l)y^^, 
and Sv{x,l) and viewv,p{x,l) are computational indistinguishable. The computa- 

tional indistinguishability between Tw{x,2) and viewvi/,R(x, 2) follows from the properties 
view]y^ji{x,2) = ^[\0){0\ ^viewv,p{x,2) + ^ (Viviewv,p{x,l)V^)], the computational indistin- 
guishability between Sv{x, 1) and viewy p(j;, 1), and that between Sv{x, 2) and viewy p(x, 2). 

Now the lemma follows. □ 

Now applying the quantum rewinding technique due to Watrous f34], we show the computational zero- 
knowledge version of Lemma 1211 that any three-message public-coin honest-verifier quantum computational zero- 
knowledge system such that the message from the verifier consists of only one classical bit is computational zero- 
knowledge against any dishonest quantum verifier. 

Lemma 28. Any three-message public-coin honest-verifier quantum computational zero-knowledge system such 
that the message from the verifier consists of only one classical bit is computational zero-knowledge against any 
polynomial-time quantum verifier. 

Proof. We use the same construction of the simulator as in the proof of Lemma |2T] In what follows, we use the 
same notations as in the proof of Lemma |2T] 

Let Sy be the simulator for V such that, if x is in ^yes, the states Sy{x, 1) and viewyp(x, 1) consisting of 
qubits in M are computationally indistinguishable and the states Sv{x, 2) and viewvp(x, 2) consisting of qubits 
in (M, N, R) are also computationally indistinguishable, and consider the simulator construction in Figure |3]in the 
proof of Lemma [2T] 

Suppose that the input x is in Ayes. 

We shall show that (i) the gap between ^ and the probability of obtaining |0) as the measurement result in 
Step [5] must be negligible regardless of the auxiliary quantum state p, and (ii) the output state in Step [5] in the 
construction conditioned on the measurement result being |0) must be computationally indistinguishable from the 
state W would possess after the third message. With these two properties, the quantum rewinding technique due 
to Watrous ||34]| works well, by using the amplification lemma for the case with negligible perturbations, which is 
also due to Watrous f34l. This ensures the computational zero-knowledge property against W. 

For the generating circuit Q' of the quantum state viewyp(x,2) (for example, the unitary circuit Pi that 
corresponds to the first transformation of the honest prover P realizes Q'), consider the "ideal" construction of the 
simulator such that Q' is applied instead of Q in Step|2]of the "real" simulator construction. 

We first show the property (i). 

Since the state viewy,p(a;, 2) can be written of the form viewv,p(x,2) = ^(cro ® |0)(0| + ui (X" for 
some quantum states ctq and cJi in (M, N), the probability of obtaining |0) as the measurement result in Step [5] in 
the "ideal" construction is exactly equal to ^ regardless of the auxiliary quantum state p, because tij^aQ = tij^a\ 
necessarily holds in this case, where J\f is the Hilbert space corresponding to N. 

Now, from the honest-verifier computational zero-knowledge property, the states 5y (x, 2) and viewy p(x, 2) 
in (M, N, R) are computationally indistinguishable. Since the circuit implementing Wi is of size polynomial with 
respect to it follows that the gap between ^ and the probability of obtaining |0) as the measurement result in 
Step [5] in the "real" construction must be negligible regardless of the auxiliary quantum state p, which proves the 
property (i). 
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Now we show the property (ii). 

Let = IliWi{\Os(^w) {Os(8w\ Op® o-j O |i)(i|)Ty/nj be an unnormahzed state in (S,W,X, M, N, R) for 
each i € {0, 1}, where Ilj = is the projection operator over the qubits in S, and S and W are the Hilbert 
spaces corresponding to S and W, respectively. Then, in the "ideal" construction, conditioned on the measurement 
result being |0) in SteplH the output is the state tr5(^o + 

Noticing that tr^ t% is exactly the state the verifier W would possess after the third message when the second 
message from W is i and that the probability of the second message from W being i is exactly equal to tr^j for 
each i G {0, 1}, tr5(^o + Ci) = ^,^0 " tr^^l^^ + tr^i • tr^^l^j- is exactly the state W would possess after the third 
message. 

Towards a contradiction, suppose that the output state in Step [5] in the "real" construction conditioned on the 
measurement result being |0) is computationally distinguishable from tr5(^o + which is the state W would 
possess after the third message. Let D be the corresponding distinguisher that uses the auxiliary quantum state p'. 
We construct a distinguisher D' for Sv{x, 2) and viewyp(j;, 2) from D. 

On input quantum state ^ that is either Sv{x, 2) or viewy,p(2;, 2), D' uses the auxiliary quantum state p ® p', 
where p is the auxiliary quantum state the verifier W would use. D' prepares the quantum registers S, W, M, N, R 
and another quantum register Y. D' stores p in the register X, ^ in the register (M, N, R), and p' in Y. All the qubits 
in S and W are initialized in state |0). Now D' applies Wi to the qubits in (S, W, X, M), and then applies D to the 
qubits in (W,X,M,N,R,Y). 

It is obvious from this construction that D' with the auxiliary quantum state p p' forms a distinguisher for 
Sv{x,2) and viewv,p(x,2) if D with the auxiliary quantum state p' forms a distinguisher for the output state 
in Step 15] in the "real" simulator construction conditioned on the measurement result being |0) and the state 
tr^CCo + This contradicts the computational indistinguishability between Sv{x,2) and viewyp(x,2), and 
thus the property (ii) follows. □ 

From Lemmas |26l |22l and |28l it is easy to show that honest- verifier quantum computational zero-knowledge 
equals general quantum computational zero-knowledge. The proof is essentially same as the proof of Theorem l22l 
and thus, the property that public-coin quantum computational zero-knowledge equals general quantum computa- 
tional zero-knowledge also follows. 

Theorem 29. HVQZK = QZK 

Theorem 30. Any problem in QZK has a public-coin quantum computational zero-knowledge proof system. 
4.2 QZK with Perfect Completeness Equals General QZK 

In the computational zero-knowledge case, we can show that quantum computational zero-knowledge with one- 
sided bounded error of perfect completeness equals general quantum computational zero-knowledge. 

The key idea is to show that any honest-verifier quantum computational zero-knowledge proof system with 
two-sided bounded error can be modified to that with one-sided bounded error of perfect completeness. This can 
be proved in a similar manner as in the proof of Theorem 2 of Ref. |[20l . but requires more careful analyses for 
showing the zero-knowledge property. 

Lemma 31. Let m: Z+ -^'H be a polynomially bounded fiinction, let e: Z"*" [0, 1] be any negligible fiinction 
such that there exists a polynomial-time uniformly generated family {Qi"} of quantum circuits such that Qin 
exactly performs the unitary transformation 




and let 5 : Z+ [Oj 1] ^'^J function 

HVQZK(m, 1 - e, 1 - (5) C HVQZK(m + 2, 1, 1 - (5 - e)^). 



that 



satisfies 



5 > e. 



Then, 
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Honest Verifier's Protocol for Achieving Perfect Completeness 

1 . Prepare quantum registers V and M and a single-qubit quantum register X. Let Y be the single-qubit quantum 
register consisting of the qubit in V that corresponds to the output qubit of the original verifier. Initialize all 
the qubits in V, M, and X in state |0). Apply Vi to the qubits in (V, M), and send M to the prover. 

2. For j = 2 to Y, do the following: 

Receive M from the prover. Apply Vj to the qubits in (V, M), and send M to the prover. 

3. Receive B and M from the prover. Apply Vs+i to the qubits in (V, M) and perform the Toffoli transformation 
over the qubits in (X, Y, B) using the qubit in X as the target. Send V, M, and B to the prover. 

4. Receive B from the prover. Perform a controlled-not over the qubits in (X, B) using the qubit in X as the 
control. Apply [/j to the qubit in X. Accept if the content of X is 0, and reject otherwise. 



Figure 4: Honest verifier's protocol for achieving perfect completeness 

Proof. The proof is similar to the proof of Theorem 2 of Ref. [20|, but requires more careful analyses for showing 
the zero-knowledge property. 

Let A = {Ayes, Aio} be a problem in HVQZK(m, 1 — e,l — 6), and let V be the corresponding m-message 
honest quantum verifier. Let V be the quantum register consisting of all the qubits in the private space of V, and 
let M be that consisting of all the qubits in the message channel between V and the prover. For every input x, V 
applies Vj for his jth transformation to the qubits in (V, M), for 1 < j < [yj + 1. We construct a protocol of an 
(m + 2)-message honest quantum verifier W. For simplicity, in what follows, it is assumed that m is even (the 
cases in which m is odd can be proved in a similar manner). 

For every input x, the new verifier W prepares the quantum registers V and M and another single-qubit quantum 
register X. Let Y be the single-qubit quantum register consisting of the qubit in V that corresponds to the output 
qubit of the original verifier V. 

Using first (m — 1) messages, W attempts to simulate the first (m — 1) messages of the original m-message 
protocol, by applying Vj to the qubits in (V, M) as his jth transformation, for 1 < j < y. 

At the mth message, which is from the prover, W receives a single-qubit quantum register B in addition to M. 
W then applies V^+i to the qubits in (V, M), and further performs the Toffoli transformation over the qubits in 
(B, Y, X), using the qubit in X as the target. Notice that the content of X is 1 if and only if the content of B is 1 
and the state in (V, M) is an accepting state of the original protocol. Then W sends the registers B, V, and M to the 
prover, while keeping only X in his private. 

At the last message of the protocol, W receives the qubit in B and verifies if the qubits in (X, B) form the state 

= ve|oo) + \/r^|ii). 

The precise description of the protocol of W is described in Figure |4] 

The soundness can be proved in almost the same way as in the proof of Theorem 2 of Ref. ||20]| . We show the 
completeness and the honest-verifier zero-knowledge properties. We first describe how the honest quantum prover 
behaves in the constructed (m + 2) -message system. 

Suppose that the input x is in Ayes- Let P be the m-message honest quantum prover for the original proof 
system, and suppose that {V, P) accepts x with probability exactly pacc > 1 — Let P be the quantum register 
consisting of all the qubits in the private space of P. Let Pj be the jth transformation of P on input x in the original 
protocol, for 1 < j < 

The (m + 2)-message honest quantum prover R for the constructed proof system prepares the register P and 
another single-qubit quantum register B in his private space. All the qubits in P and B are initially in state 1 0) . 
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At the jth transformation of i?, for 1 < j < y — 1, after receiving the register M from W, R appUes Pj to the 
qubits in (M, P) and sends MtoW. 

At the transformation of R, after receiving the register M from W, R first appUes Pj to the qubits in 

(M, P). R also generates the state \b) = ./l - 7^|0) + \ f^\l) in the register B, and sends B and M to W. 

Let Itprn+i) be the system state in (X, V, M, B) just after the (m + l)-st message of the constructed protocol, 
when W is communicating with i? on the input x. Then iV'm+i) can be written as IV^m+i) = «o|0)|^o) + 
for some states |^o) and in (V, M, B) orthogonal to each other, where ai = y/pacc ■ \J^r^ ~ Vl — £ and 
ao = \/l - = 

At the + l)-st transformation of R, after receiving the registers V, M, and B from W, R applies the unitary 
transformation Z to the qubits in (V, M, B) such that Z\^q) = \r])\0) and Z\^i) = for some state \r]) in 

(V, M) (this is possible because |.^o) and are orthogonal). R then sends B to W, which is the last message of 
the constructed protocol. 

Now the perfect completeness is obvious from the constructions of W and R. 

Finally, the zero-knowledge property against W is almost sti^aightforward. 

Let Sv be the simulator for the original m-message system such that, if x is in Ayes, the states Sv{x,j) and 
viewy,p(x, j) are computationally indistinguishable, for each I < j < y- 

The simulator T\y for the constructed (m + 2)-message system behaves as follows. 

Let Tw{x,j) be a quantum state in (X,V, M) defined by Tw (x , j) = \0) {0\ <^ Sy {x , j) 
for each 1 < j < ^ - 1. Let Tw{x,y) be a quantum state in (X,V, M,B) defined by 
Tw{x, ^) = |0)(0| Sv{x, f ) O |1)(1|. Finally, let Tw{x, ^ + l) be a quantum state in (X, B) defined 
by Tw{x, y + l) = |</')(0|- It is obvious that the ensemble {Tw{x,j)} is polynomial-time preparable. 

Suppose that x is in Ayes- For 1 < j < y — 1, T\Y{x,j) is obviously computationally indistinguish- 
able from vieww,R{x,j), since Tvi/(x, j) = |0)(0| (8) j), vieww,R{x, j) = \0){0\ ® viewv,p{x, j), 
and Sv{x,j) and viewv,p{x,j) are computationally indistinguishable. The computa- 
tional indistinguishability between Tw{x,y) and viewiy,i?(x, follows from the com- 
putational indistinguishability between Sv{x,y) and viewy^p(x,y) and the fact that 

||viewH/,ij(x,f ) - |0)(0| 0viewy,p(x,f ) |l)(l|||tr = \\\b){b\ - |l)(l|||tr < 2^1 - g < 2^ is negli- 
gible. Finally, Tvi/(a:, y + l) and viewvi/p(x, y + l) are identical, and thus, are trivially computationally 
indistinguishable. □ 

Together with Lemmas |27] and |28] and the computational zero-knowledge version of Lemma \TE\ this implies 
the equivalence between quantum computational zero-knowledge with perfect completeness and usual quantum 
computational zero-knowledge with two-sided bounded error. The proof is similar to those of Theorems [22] and [29l 

Theorem 32. Any problem in QZK has a quantum computational zero-knowledge proof system of perfect com- 
pleteness. 

Furthermore, in the computational zero-knowledge case, it is straightforward to extend Lemma [28] to the fol- 
lowing more general statement. 

Lemma 33. Any three-message public-coin honest-verifier quantum computational zero-knowledge system such 
that the message from the verifier consists of 0(logn) bits for every input of length n is computational zero- 
knowledge against any polynomial-time quantum verifier 

Using Lemma[33l we can show the following. 

Theorem 34. Any problem in QZK has a three-message public-coin quantum computational zero-knowledge proof 
system of perfect completeness with soundness error probability at most ^for any polynomially bounded function 
p: — > N (hence with arbitrarily small constant error in soundness). 
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Proof. Let p : Z"*" ^ N be any polynomially bounded function, and let q : Z+ — > N be a polynomially bounded 

q 

function satisfying 22 > logp + 2. 

Then, from Lemmas [3T] and [24l together with Lemma |25] for parallel repetition, we have that 
HVQZK C HVQZK(3, 1, 2-i). 

With Lemma [27] this further implies that any problem in HVQZK has a three-message public-coin honest- 
verifier quantum computational zero-knowledge proof system of perfect completeness with soundness accepting 
probability at most ^ + 2 2 ^ in which the message from the verifier consists of only one classical bit. 

For every input of length n, we run this proof system [logj5(n)] + 2 times in parallel. From Lemma |25l this 
results in a three-message public-coin honest- verifier computational zero-knowledge proof system of perfect com- 

pleteness with soundness accepting probability at most 4^;^ (1 + 2 2 j ' < in which the message 

of the verifier consists of [logp(n)] + 2 classical bits, for every input of length n. 

Now Lemma [33] implies that this protocol is computational zero-knowledge even against any dishonest quan- 
tum verifier. Hence, any problem in QZK has a three-message public-coin quantum computational zero-knowledge 
proof system of perfect completeness with soundness error probability at most ^, since HVQZK = QZK by The- 
oremllll □ 

5 Statistical Zero-Knowledge Case 

All the properties shown for the computational zero-knowledge case also hold for the statistical zero-knowledge 
case. The proofs are essentially same as in the computational zero-knowledge case. This gives alternative proofs 
for the following theorems, which were originally shown by Watrous Ii34il using his previous results Ii32il . 

Theorem 35 (1321 [3l). HVQSZK = QSZK. 

Theorem 36 ( II32[|34I ). Any problem in QSZK has a public-coin quantum statistical zero-knowledge proof system. 

We also have the following new properties for quantum statistical zero-knowledge. 

Theorem 37, Any problem in QSZK has a quantum statistical zero-knowledge proof system of perfect complete- 
ness. 

Theorem 38. Any problem in QSZK has a three-message public-coin quantum statistical zero-knowledge proof 
system of perfect completeness with soundness error probability at most ^for any polynomially bounded function 
p: N (hence with arbitrarily small constant error in soundness). 

6 Equivalence of Two Definitions of Quantum Perfect Zero-Knowledge 

In the classical case, the most common definition of perfect zero-knowledge proofs seems to allow the simulator to 
output "FAIL" with small probability, say, with probability at most ^ |[8l|28l. Following this convention, we may 
consider the following alternative definitions of honest-verifier and general quantum perfect zero-knowledge proof 
systems. 

Definition 39. Given a polynomially bounded function m: Z+ —>■ N and functions c, s: Z+ —>■ [0, 1], a problem 
A = {ylycsj^no} is in HVQPZK'(m, c, s) iff there exists an m-message honest quantum verifier V and an m- 
message honest quantum prover P such that 

(Completeness and Soundness) [V, P) forms an m-message quantum interactive proof system with completeness 
accepting probabiUty at least c and soundness accepting probability at most s. 
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(Honest- Verifier Perfect Zero-Knowledge) tliere exists a polynomial-time preparable ensembles 
{Sv{x,j)} of quantum states such that, for every x G Ayes and for each l<j< [^^^^^], 
Sv{x,j) =Px,j\0){0\^\On,){On,\ + {^-Px,j)\'^){M<^viewv,p{x,j) for some < Pxj < ^, where 
Hj is the Hilbert space viewy,p(a;, j) is in D{Hj). 

Definition 40. Given a polynomially bounded function m: Z+ N and functions c, s: Z+ [0, 1], a problem 
A = {^yes, ^no} is in QPZK'(m, c, s) iff there exists an m-message honest quantum verifier V and an m-message 
honest quantum prover P such that 

(Completeness and Soundness) {V, P) forms an m-message quantum interactive proof system with completeness 
accepting probability at least c and soundness accepting probability at most s, 

(Perfect Zero-Knowledge) for any m-message quantum verifier V, there exists a polynomial-time uniformly gen- 
erated family {Qx} of quantum circuits, where each Qx exactly implements an admissible transformation 
Syf{x), such that, for every x G Aj^^g, Syi{x) = Pxi^o ® ^faii) + (1 — Px){^i ^ , P){x)) for some 
< < ^> where {V',P){x) G T{A,Z) is the induced admissible transformation from V, P, and x 
for some Hilbert spaces A and Z, "^mi S T(^, Z) is the admissible transformation that always outputs 
|02)(0^|, and <I>fe is the admissible transformation that takes nothing as input and outputs \b){b\, for each 
6g{0,1}. 

In Definitions |39] and |40l the first qubit of the output of the simulator indicates whether or not the simulation 
succeeds — |0)(0| is interpreted as failure and |1)(1| as success. 

Definition 41. A problem A = {^yes, ^no} is in HVQPZK' and in QPZK' if there exists a polynomially bounded 
function m : Z+ — > N such that A is in HVQPZK' (m, |, i) and in QPZK' (m, |, i), respectively. 

It is not obvious at a glance that HVQPZK = HVQPZK' and QPZK = QPZK', i.e., that the definitions of 
honest-verifier and general quantum perfect zero-knowledge proof systems using Definitions|4]and[T0]is equivalent 
to those using Definitions [39] and l40l 

Fortunately, using Theorem [22l we can show that HVQPZK = HVQPZK' and QPZK = QPZK'. It is 
stressed that such equivalence is not known in the classical case. 

Tlieorem 42. HVQPZK = HVQPZK' and QPZK = QPZK'. 

Proof. It is obvious that HVQPZK C HVQPZK' and QPZK C QPZK' C HVQPZK'. From Theorem 122 we 
have HVQPZK = QPZK. Therefore, it is sufficient to show that HVQPZK' C HVQPZK. 

Let A = {Ayes,Aao} be a problem in HVQPZK' (m, |, I) for some polynomially bounded function 
m: Z+ — > N. Without loss of generality, it is assumed that m takes only even values (if m(n) is odd for some 
n G Z+, we modify the protocol so that the verifier sends a "dummy" message to a prover as the first message 
when the input has length n such that m(n) is odd). Let V and P be the corresponding honest verifier and honest 
prover, respectively. Let V be the quantum register consisting of all the qubits in the private space of V, and let 
M be that consisting of all the qubits in the message channel between V and the prover. For every input x, V 
apphes Vj for his jth transformation to the qubits in (V, M) for 1 < j < ^ + 1, and performs the measurement 
n = {Hacci Ilrcj} at the end of the original protocol to decide acceptance or rejection. Let V and M. be the Hilbert 
spaces corresponding to V and M , respectively. 

Let {Sv{x,j)} be the polynomial-time preparable ensembles of quantum states corresponding to the sim- 
ulator for this honest-verifier quantum perfect zero-knowledge proof system such that, for every x G ^yes and 
for each 1 <j < ^I^:^, Sv{x,j) =pxj\0){0\ (g) |0v®m)(0v®xI + (1 - Px,j)\'i-){M O viewy,p(x, j) for some 
< Px,j < ^- This may be viewed as Sv{x,j) outputting |0)(0| ^ \0v(S)m){0v®m\ with probability p^j 
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and viewv,p{x,j) with probability 1 ~ p^j. Without loss of generality, it is assumed that each 

< Px,j < 2^l^l, since we can easily amplify the success probability of the simulator by just running the orig- 
inal simulator a number of times so that a new simulator outputs |0)(0| (g) |0v(g)A^)(0v(g)A^| only if all the attempts 
result in |0)(0| (g) \Ov^m) {^V'SmI 

First we slightly modify the behavior of the honest verifier as follows (call this modified honest verifier V'). 
At the beginning of the protocol, V' prepares a single-qubit quantum register B in addition to the registers V and 
M. The content of B will denote if the protocol successfully simulates the original protocol (that B contains 1 
indicates the successful simulation). At the first transformation of V', V' prepares |1) in B and Vi|Ov(gi>f) in 
(V, M), and sends B and M to a prover. At every message from the prover, V' receives B in addition to the qubits in 
M the original verifier V would receive. At the jth transformation of V' , V' applies Vj to the qubits in (V, M), for 
2 < i < + 1. That is, the jth transformation of V is given by V- = I Vj, for 2<j< + 1. Then 

V sends B and M back to the prover as the (2j — l)-st message, for 2 < j < !Z!££il. At the end of the protocol, 

V accepts if and only if the content of B is 1 and the content of (V, M) corresponds to an accepting state of the 
original protocol. 

It is obvious that the soundness accepting probability is at most ^, since it cannot be larger than that in the 
original protocol from the construction of V. 

To show the completeness and honest-verifier perfect zero-knowledge conditions, we construct a new honest 
prover P' as follows. Let P be the quantum register consisting of all the qubits in the private space of the original 
honest prover P. The new prover P' prepares P as well as single-qubit quantum registers B^- and quantum registers 

and in his private space for 1 < j < EiMl^ where and consists of the same number of qubits as V 

and M, respectively. All the qubits in the registers P, B^, V^, and M^, for 1 < j < "^^j^^^ , are initialized to state |0). 

At the jth transformation of P', for 1 < j < 2^^\ after having received B and M, P' first measures the qubit 
in B in the {|0), |1)} basis to obtain the measurement outcome b. 

If 6 = 0, P' does nothing and just sends B and M back to the verifier. 

On the other hand, if 6=1, P' first generates Sv{x,j) in (B^, V^, M^). If this results in 
|0)(0| (g) |0v(g)A^)(0v(g)A^|, P' flips the content of B so that B now contains 0, and sends B and M back to the 
verifier. Otherwise P' applies Pj, the jth transformation of the original honest prover P, to the qubits in (M, P), 
and sends B and M back to the verifier (note that B always contains 1 in this case). 

From the construction of P', it is easy to see that, if the input x is in ^yes, P' is accepted with probabiUty at 

n , IK m(\x\) r- 

least 1(1 -2-1^1)^^ > |. 

Next we construct a new simulator S'y, as follows. Sy, prepares the quantum registers B, V, and M and another 
three quantum registers B', V, and M', where B', V, and M' consists of the same number of qubits as B, V, and M, 
respectively. For convenience, let Sy,{x,0) = |1)(1| <8) \0v'S)M){0viS)M\- We define Sy, inductively with respect 

toj,forl < j < 

Assume that the state Sy,{x,j — 1) has already been defined. To simulate the state after the jth transformation 
of P', Sy, first generates pj = V-S'y,{x,j - l)vf in (B, V, M). If the content of B is 0, S'y, just outputs the state 
in (B, V, M). Otherwise if the content of B is 1, Sy, generates the state Sv{x, j) in (B', V, M'). If the content of 
B' is 0, Sy, outputs the state in (B', V, M), otherwise if the content of B' is 1, Sy, outputs the state in (B', V, M'). 

Let lib be the projection defined by 11^ = \b){b\ (8) ly^M^ for each b G {0, 1}. Then, Sy,{x,j) can be written 

as 

S'y,ix,j) = UoPjUo + (trnoSy(x, j))|0)(0| ^titsUipjUi + {tTUip^)UiSv{x,j)Ui 

= ^oPj'^o+Px,j\0){0\ (8) trgnipj-ni + {tTUipj){l - px,j)\l){l\ ^viewv,p{x,j), 

for 1 < j < where B is the Hilbert space corresponding to B. 

It is easy to see that the ensemble {Sy, {x, j)} is polynomial-time preparable. 
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Suppose that x is in ^yes- We show by induction that Sy, {x, j) = viewy', p' {x,j) for each 1 < j < 2 • For 
convenience, let viewy/^p/(x, 0) = Sy,{x,0) = |1)(1| |0v(g)A^)(0v(g)A^|, and let aj = Vjviewv',p'{x,j — ^)Vp 
for each 1 < j < 

In the case j = 1, it is obvious that Sy,{x, 1) = viewv',p'(x, 1), since 

pi = ai = VI{\1){1\ <g) \0v^m){0v^m\)VI^ = ® {Vi\0v^m){0v<^m\V^), 

and thus 

S'y,{x, 1) = Px,i|0)(0| <S) tiB^ipiUi + (1 - ® viewy,p(x, 1) 

= Px,i|0)(0| (S)trt3UiaiUi + (1 ® viewy,p(x, 1) 

= viewy ^p'(x, 1). 

Suppose that Sy,{x,j) = viewy', p'{x,j) holds for all 1 < j < k. We show the case j = A; + 1. By definition, 
S'y,{x, k + l) = UoPk+iUo + (trno5v(x, k + 1))|0)(0| ® tiBllipk+iUi + {tvnipk+i)UiSv{x, k + i)ni, 
and notice that 

viewv",p'(x, k + 1) = nofjfc+illo + (trnoS'v(a:;, k + 1))|0)(0| trgnicifc+ini 

+ (trniafc+i)(trniS'y(x,A; + 1))|1)(1| O viewv,p(x, /c + 1). 

Since /o^+i = Vlj^^Sy,{x,k)Vl^_^_^and Uk+i = V^'^-^viewy/^p/(x, fc)V'^'^-^, we have p^+i = cTfc+i from the assump- 
tion that Sy,{x, k) = viewy ,p'{x, k). Furthermore, we have 

ni5'y(x,fe + l)ni = (trniS'y(x,/c + 1))|1)(1| ®viewv/,p(x,A; + l). 

Therefore, that Sy,{x, k + 1) = viewy ,p'{x, k + 1) follows. 

Hence, the honest- verifier perfect zero-knowledge property against P' holds in the sense of Definition 01 
Finally, recall that the success probability can be amplified using sequential repetition, and thus, that 

HVQPZK' C HVQPZK follows. □ 

7 Conclusion 

This paper has established a unified framework that directly proves a number of general properties of quantum 
zero-knowledge proofs. Our method works well for any of quantum perfect, statistical, and computational zero- 
knowledge cases. We conclude by mentioning several open problems concerning quantum zero-knowledge proofs: 

• We have proved that quantum computational and statistical zero-knowledge proofs can be made perfect 
complete. Can quantum perfect zero-knowledge proofs be made perfect complete? 

• Although we have proved properties of quantum zero-knowledge proofs directly, natural complete problems 
or characterizations are definitely helpful when proving properties of quantum zero-knowledge proofs. Are 
their any natural complete problems or characterizations for QZK and QPZK? 

• We have investigated the properties of QZK that hold unconditionally. On the other hand, Watrous 1341 
proved that every problem in NP has a quantum computational zero-knowledge proof system under some 
intractability assumptions. In the classical case, it is known that every problem in IP = PSPACE is provable 
in computational zero-knowledge under some intractability assumptions |[T8l l4ll22ll29l. How powerful are 
quantum computational zero-knowledge proofs under reasonable intractabiUty assumptions? 
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Appendix 

A Quantum Interactive Proof Systems 

Here we review the model of quantum interactive proof systems. Although the term "round" is commonly used 
in classical interactive proofs for describing each set of verifier's question and corresponding prover's response, 
this paper follows the custom in the preceding papers of quantum interactive proofs ll33l l20l [32l l23l |27]1 and uses 
the term "message" instead of "round". One round consists of two messages: the message from a verifier and the 
message from a proven 

A quantum interactive proof system consists of two parties: a quantum verifier V and a quantum prover P. 
Associated with the quantum interactive proof system are the Hilbert spaces V, Ai, and V, where V corresponds 
to the private space of the verifier V, M. corresponds to the space used for communication between the verifier V 
and the prover P, and V corresponds to the private space of the prover P. 

For every input of length n, each space V, M-, and V consists of qv{n), qm and qp{n) qubits, respectively, 
for some polynomially bounded functions qx> , : Z+ —>■ N and some function qp : Z+ —>■ N. Accordingly, the 
entire system consists of q{n) = q-\;{n) + (?A^(n) +gp(n) qubits. Such a system is called {q-\; , q_\4, qp)-space- 
bounded, and the associated verifier and prover are called (qy, qjvCj-^P'^ce-bounded and {qjvii qv)-space-bounded, 
respectively. One of the private qubits of the verifier is designated as the output qubit. 

Formally, an m-message (gy, 'ZA4)"Space-bounded quantum verifier V for quantum interactive proof systems 
is a polynomial-time computable mapping of the form V: {0, 1}* — > {0, 1}*. For every n and for every input 
X G {0, 1}* of length n, V uses at most q\;{n) qubits for his private space and at most (n) qubits for each com- 
munication with aprover. The string V{x) is interpreted as a [(m(n) + l)/2]-tuple {V{x)i, . . . , V{x)^(^jTi{n)+i)/2] )■> 
with each V {x)j a description of a polynomial-time uniformly generated quantum circuit acting on q\i{n) + qjvi (ra) 
qubits. 

Similarly, an m-message (g_A4, g^c) -space-bounded quantum verifier P is a mapping of the form 
P: {0, 1}* {0, 1}*. For every n and for every input x G {0, 1}* of length n, P uses at most qp{n) qubits 
for his private space and at most (n) qubits for each communication with a verifier. The string P{x) is inter- 
preted as a \m{n) /2] -tuple {P{x)i, . . . , -P(x)|-^(„)/2] )> with each P{x)j a description of a quantum circuit acting 
on gA^(n) + qp{n) qubits. No restrictions are placed on the complexity of the mapping P (i.e., each P{x)j can be 
an arbitrary unitary transformation). 

Given an m-message (gvi 9A4)"Space-bounded quantum verifier V, an m-message (gx, g-p) -space-bounded 
quantum prover P, and an input x of length n, we define a circuit {V{x), P{x)) acting over V ® M. V 
of q{n) qubits as follows. If m(n) is odd, circuits P{x)i,V{x)i, . . . , P{x)(^jn(^n)+i)/27V{^){m{n)+i)/2 are 
applied in sequence, each V{x)j to V M. and each P{x)j to M- If m(n) is even, circuits 

V{x)i,P{x)i, F(x)„(„)/2, P(x)„(„)/2, V(x)^(„)/2+i are applied in sequence. 

At any given instant, the state of the entire system is a unit vector in the space V M V . At the beginning 
of the protocol, the system is in the initial state such that all the qubits in V (8> "P are in state |0). In case V 
and/or P have some auxiliary quantum states p and/or a at the beginning of protocol, the qubits in the private space 
of V and/or P corresponding to these auxiliary quantum states are initialized to p and/or a, respectively. In such 
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a case, the state of the entire system may be in a mixed state in D(V (8) <8) 7^), and the descriptions below are 
interpreted in the context of mixed states with proper modifications. 

For every input x of length n, the probability Pacc{x, V, P) that (F, P) accepts x is defined to be the probability 
that an observation of the output qubit in the {|0), |1)} basis yields |1), after the circuit {y{x), P{x)) is appUed to 
the initial state IV'init) ® M ®V. Let Ilacc be the projection onto the space consisting of states whose output 
qubit is in state Then, pacc(a:, P) = \\^!,ccV{x)(rn{n)+i)/2P{x)(rn(n)+i)/2 ■ • • V'(x)iP(x)i|V'imt)|P if m(n) 
is odd, and Pacc(a;, V, P) = \\^s.ccy{x)m{n)/2+iP{x)^(n)/2y{x)m{n)/2 ' ' ' P{x)iV {x)i\i)iryit)\? if m{n) is even. 

The class of problems having an m-message quantum interactive proof system with completeness accepting 
probability at least c and soundness accepting probability at most s is denoted by QIP(m, c, s). The following is 
the formal definition of the class QIP(m, c, s). 

Definition 43. Given a polynomially bounded function m: Z"*" — > N and functions c,s: Z"*" — ^ [0; 1]? a problem 
A = {^ycs, ^no} is in QIP(m, c, s) iff there exist polynomially bounded functions qy, qj^ '■ Z"'" N and an m- 
message (gy, <?A^) -space-bounded quantum verifier V for quantum interactive proof systems such that, for every n 
and for every input x of length n, 

(Completeness) if x G ^yes^ there exist a function q-p: Z'^ ^ N, and an m-message (g^vj, g-p) -space-bounded 
quantum prover P such that (V, P) accepts x with probability at least c(n), 

(Soundness) if x G A^o, for any function (/^ : Z+ ^ N, and any m-message (g^vj, g^) -space-bounded quantum 
prover P', (V, P') accepts x with probability at most s(n). 

Next, we introduce the notions of public-coin quantum verifiers and public-coin quantum interactive proof 
systems. Intuitively, a quantum verifier for quantum interactive proof systems is pubUc-coin if every message from 
V consists of a sequence of outcomes of a fair classical coin-flipping. 

Formally, an m-message {qy, g^)-space-bounded quantum verifier V for quantum interactive proof systems is 
public-coin if V has the following properties for every n and for every input x of length n. At the jth transformation 
of y for 1 < j < [m{n)/2\ , V first receives at most q_\4 (n) qubits from a prover, then flips a fair classical coin at 
most qM {n) times to generate a random string rj of length at most qM {n), and sends rj to the prover. 

An m-message {qy, g^, q'7?)-space-bounded quantum interactive proof system is public-coin if the associated 
m-message (gy, ^x) -space-bounded quantum verifier is public-coin. 

The class of problems having an m-message public-coin quantum interactive proof system with completeness 
accepting probability at least c and soundness accepting probability at most s is denoted by QAM(m, c, s). The 
following is the formal definition of the class QAM(m, c, s). 

Definition 44. Given a polynomially bounded function m: Z+ ^ N and functions c, s: Z+ ^ [0, 1], a problem 
A = {Ayes, ^no} is in QAM(m, c, s) iff there exist polynomially bounded functions qy, qM : Z+ — > N iff there 
exist polynomially bounded functions qy, qM : Z+ — *■ N and an m-message {qy, g^vj) -space-bounded public-coin 
quantum verifier V for quantum interactive proof systems such that, for every n and for every input x of length n, 

(Completeness) if x G Ay^s, there exist a function : Z"*" — > N, and an m-message (gx, g-p)-space-bounded 
quantum prover P such that (V, P) accepts x with probability at least c(ra), 

(Soundness) if x G Ano, for any function : Z"*" ^ N, and any m-message (gx, gp)-space-bounded quantum 
prover P', (F, P') accepts x with probability at most s{n). 
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B Note on the Choice of Universal Gate Set 



When proving statements concerning quantum perfect zero-knowledge proofs or proofs having perfect complete- 
ness, we assume that our universal gate set satisfies some conditions, since these "perfect" properties may not hold 
with an arbitrary universal gate set. 

For instance, in the case of the paper by Kitaev and Watrous f20l, when we try to implement their parallelization 
protocol to three messages by unitary quantum circuits, we need to implement the controlled-unitary operation 
controlled by the message index r chosen by the verifier at his first transformation. If this implementation is not 
exact, we may lose the perfect completeness property after the parallelization, which affects their final statement 
that any problem in QIP has a three-message quantum interactive proof system of perfect completeness with 
exponentially small error in soundness. 

Furthermore, in the case of the paper by Marriott and Watrous |[23l . their method of converting any three- 
message quantum interactive proof system to a three-message public-coin one works well only if the original 
three-message protocol is implemented with unitary quantum circuits. Thus, their result inherits the problem of 
how to implement with unitary circuits the parallelization protocol due to Kitaev and Watrous [20], when claiming 
their statement in a final form that any problem in QIP has a three-message public-coin quantum interactive proof 
system of perfect completeness with exponentially small error in soundness (i.e., QIP C QMAM(1, 2~^) for any 
polynomially bounded function p). 

This is also the case for the present paper, since we are using both a modified version of the parallelization 
protocol due to Kitaev and Watrous ll20l and a public-coin technique due to Marriott and Watrous [23|. In our 
case, if the implementations of the controlled-unitary transformations are not exact, we may lose the perfect zero- 
knowledge property after the parallelization, since the implementations used for the simulator may differ from 
those used for the honest verifier. 

One direct solution to avoid these problems is to use such a universal gate set that (i) the Hadamard and Toffoh 
gates are exactly implementable with a constant number of gates in the universal gate set, and (ii) given a circuit Q 
consisting of gates in the universal gate set that exactly implements a unitary transformation U, we can construct 
another circuit Q' consisting of gates in the same universal gate set that exactly implements the controlled- [/ 
transformation such that the size of Q' is bounded by polynomial with respect to the size of Q. For instance, if the 
Toffoli gate is in our universal gate set il and the controlled-C/ gate is necessarily included in il for any gate U iniX 
not of controlled-unitary type, the condition (ii) is satisfied. This is because the controlled-controlled-f/ operator is 
easily realized by the controUed-C/ and Toffoli gates. From these observations, one can see that, for example, the 
set consisting of the Hadamard gate, the controUed-Hadamard gate, and the Toffoli gate satisfies both (i) and (ii). 

Watrous |[35l pointed out that the condition (ii) is actually not necessary for our purpose. In fact, what we 
need is a unitary implementation of the parallelization protocol that does not lose the "perfect" properties. The 
essence of the Kitaev-Watrous parallelization method lies in the use of the controlled-swap test. Note that, if 
we may assume the condition (i), the controlled-swap transformation can be implemented exactly. Now, instead of 
implementing the controlled-unitary operation controlled by the message index r, we may implement the following 
that is sufficient for our purpose. For simplicity, it is assumed that r is chosen from the set {0, . . . , 2' — 1} for 
some positive integer I (such an assumption does not lose generality because we can appropriately add "dummy" 
messages to the underlying protocol so that the number of messages becomes 2'+^ in the underlying protocol), 
and the unitary transformation Ur is applied when r is chosen. Suppose Ur acts over q qubits in a register T, 
for each r. We prepare ancillae of q qubits in a register for each r, and set the control qubits in a register C 
to the state Yl^r=o I'')- ^^^^ swap the content of T and that of when the content of C is r, for each 
r (this can be realized using controlled-swap transformations). Next we apply ?7o ® ■ ■ ■ ® t^2'-i to the qubits in 
(Aq, . . . , A2;_i), and then we again swap the content of T and that of A,, when the content of C is r, for each r. 
This results in applying C/q • • • Ur-i /2<? <8> Ur+i ® ■ ■ ■ C^2'-i to some meaningless quantum state when 
the content of C is r, and thus, would not keep the coherence of the quantum state in C. However, recall that 
the control part in the Kitaev-Watrous parallelization protocol is the message index r, which is originally chosen 
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at random classically when we describe the protocol in a non-unitary manner. Hence such decoherence does not 
affect the protocol at all, and we can have the unitary implementation of the protocol only using the circuits for 
U./s and for the controlled-swap operation. We may also use a similar technique when constructing a simulator. To 
avoid unnecessary complication, now the honest verifier sends all the ancilla qubits in the registers Aq, . . . , ^2^-1 to 
a prover at the second message in addition to the actual message prescribed in the protocol. The honest prover just 
ignores these ancilla qubits when sending the third message, and the simulator does not need to simulate the ancilla 
qubits. Therefore, all the "perfect" properties claimed in this paper (and ones in Refs. 1201 l23i] ) hold with any gate 
set such that the Hadamard transformation and any classical reversible transformations are exactly implementable. 
Fortunately, most of the standard gate sets satisfy this condition. A typical example is the Shor basis |[30l consisting 
of the Hadamard gate, the controUed-i-phase-shift gate, and the Toffoli gate. 
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